| Test | Result | Status |
| We tested the mechanical interlock that prevents air to the MCAL-DCU if the FFS-DCU is _not_ retracted (valve on cam). | The brake closes and both air-cylinders are un-pressurized | ok |
| We tested the interlocks in the PLC code that prevent opening the MCAL-DCU brake or valves if the FFS-DCU retracted-sensor is _not_ active | The outputs that control the "deploy" / "retract" valves and the brake reject to activate | ok |
| We turned off the power to the PLC in mid-motion | The brake and both valves close, the DCU remained in a stable position. After timeout of the GUI we turned the PLC power back on and recovered the system without a GUI re-start, by commanding the DCU to the retract position | ok. This test also verified that the PLC boots up with all valves and the brake closed |
| We disconnected the 'retract' sensor of the FFS-DCU while the MCAL-DCU is midway | The MCAL-brake and both valves close (via interlock in the PLC code). Once the GUI times out, we re-connected the 'retract' sensor and successfully retracted the DCU | ok |
| We disconnected one of the solenoid-valves in mid-motion | The DCU coasts to a stop, or drifts slowly towards the 'retract' position, depending on balance. Once the GUI times out and the valve is re-connected the system can be recovered (without any jerky motion) | ok |
| We disconnected the air-lines while in mid-motion | The brake closes and the DCU stops | ok.
From here we tried 2 scenarios: 1) Wait until the GUI times out, re-connect the air and recover 2) just reconnect the air: the brake releases and the motion continues smothly |
| Any of the failure modes above | We verified that the GUI closes both retract/deploy valves and closes the brake after each of the failure modes above to ensure nothing moves after "fixing the problem" | ok |
None of the failure modes / recoveries caused the DCU to move hard into a stop.
Pato Jones, Christoph Birk (2013-06-20)