Sorta OT: Underwater Sensing; Safety Issues
Archiver
Posts: 46,084
A bit more on this topic...
Your primary concern with this project *should* be safety. Always keep in
mind, "what would happen if part of this circuit failed?" Well, what WOULD
happen? Any chance someone could be injured? How about destruction of
expensive equipment? What if the power were suddenly cut off when the
conveyor was in transit? Would your Stamp program be "smart" enough to
recover from this situation and continue? Would your Stamp even "know" that
the power had been cut off? What if the Stamp itself were damaged; what
kind of redundant checks are you going to build into the system?
It occurs to me that you need some form of uninterruptible power supply for
your Stamp. This can be constructed quite simply using a rather large
electrolytic capacitor, with a resistor in series to the power supply to
prevent presenting a "dead short" to the power supply when the cap is
completely discharged. A diode with the cathode attached to the + side of
the cap, anode connected to the Stamp's VCC pin could power your Stamp for a
period of time after the power was cut off; allowing your Stamp program to
save current variables to either the internal Eeprom, or an external static
RAM; thus your Stamp would be able to "recover" from such a failure in a
known state. The variables should be written along with a checksum, so that
your Stamp can validate the data.
Idea for a simple UPS for a Stamp: (use Courier New font to display
properly)
R3
To Stamp logic input A o
WWW
+
|
CR1 |
To Stamp Vcc o
+----|<
+
o To power supply +5v
| |
| |
- |
CR2 A |
R2 | R1 |
To Stamp logic input B o-WWW-+----WWW----+
|
|
C1 ===
|
|
-
V (ground)
CR1 & CR2; general-purpose rectifier diodes, 10+PIV, >500mA
R1: 470 ohm, 1/4 watt, allows charging C1 at a 10mA rate. Don't charge the
cap too quickly!
R2 & R3: 2k ohm, 1/8 watt, prevents inadvertent burn-out of Stamp circuits
should the ports be selected for output and driven low.
C1: a *big* electrolytic capacitor. 10,000 uF @ 6.3 volts should be
sufficient, but it won't hurt to use a larger one.
Theory of Operation:
Power is turned on, Stamp receives Vcc and 5v on logic input "A" (choose
which data input you'd like to monitor). Stamp begins monitoring logic
input "B" for voltage level; continues to test voltage level and sleep in a
loop until sufficient voltage is available for emergency backup operation.
If during this loop logic input "A" drops to zero, Stamp enters "sleep"
mode. Once acceptable voltage level exists on input "B", the Stamp program
should go about housekeeping chores and monitoring the conveyor. The
program should periodically check the logic level on input "A"; if it's
dropped to zero, save all program variables in external static RAM
(preferred) or to the internal Eeprom (limited life cycle), then enter
"sleep" mode.
Sensor and/or movement failure: your Stamp program should continually
monitor the progress of the conveyor, looping, incrementing a counter, and
testing the sensors. If the conveyor has not reached it's expected
checkpoint after a certain period of time, the Stamp should shut down the
conveyor motors and report the error. The binary sequence of the magnets
and reed switch closures is predictable; the Stamp must monitor this
sequence, and take appropriate action if there is a failure of any kind.
This is not an exhaustive analysis of your particular situation; merely an
assertion that you need to ensure that all possible failure modes have been
considered, and that you've dealt with every possibility. Remember; Murphy
rules, and he can be a real S.O.B.
Hope this helps...
Steve
Your primary concern with this project *should* be safety. Always keep in
mind, "what would happen if part of this circuit failed?" Well, what WOULD
happen? Any chance someone could be injured? How about destruction of
expensive equipment? What if the power were suddenly cut off when the
conveyor was in transit? Would your Stamp program be "smart" enough to
recover from this situation and continue? Would your Stamp even "know" that
the power had been cut off? What if the Stamp itself were damaged; what
kind of redundant checks are you going to build into the system?
It occurs to me that you need some form of uninterruptible power supply for
your Stamp. This can be constructed quite simply using a rather large
electrolytic capacitor, with a resistor in series to the power supply to
prevent presenting a "dead short" to the power supply when the cap is
completely discharged. A diode with the cathode attached to the + side of
the cap, anode connected to the Stamp's VCC pin could power your Stamp for a
period of time after the power was cut off; allowing your Stamp program to
save current variables to either the internal Eeprom, or an external static
RAM; thus your Stamp would be able to "recover" from such a failure in a
known state. The variables should be written along with a checksum, so that
your Stamp can validate the data.
Idea for a simple UPS for a Stamp: (use Courier New font to display
properly)
R3
To Stamp logic input A o
WWW
+
|
CR1 |
To Stamp Vcc o
+----|<
+
o To power supply +5v
| |
| |
- |
CR2 A |
R2 | R1 |
To Stamp logic input B o-WWW-+----WWW----+
|
|
C1 ===
|
|
-
V (ground)
CR1 & CR2; general-purpose rectifier diodes, 10+PIV, >500mA
R1: 470 ohm, 1/4 watt, allows charging C1 at a 10mA rate. Don't charge the
cap too quickly!
R2 & R3: 2k ohm, 1/8 watt, prevents inadvertent burn-out of Stamp circuits
should the ports be selected for output and driven low.
C1: a *big* electrolytic capacitor. 10,000 uF @ 6.3 volts should be
sufficient, but it won't hurt to use a larger one.
Theory of Operation:
Power is turned on, Stamp receives Vcc and 5v on logic input "A" (choose
which data input you'd like to monitor). Stamp begins monitoring logic
input "B" for voltage level; continues to test voltage level and sleep in a
loop until sufficient voltage is available for emergency backup operation.
If during this loop logic input "A" drops to zero, Stamp enters "sleep"
mode. Once acceptable voltage level exists on input "B", the Stamp program
should go about housekeeping chores and monitoring the conveyor. The
program should periodically check the logic level on input "A"; if it's
dropped to zero, save all program variables in external static RAM
(preferred) or to the internal Eeprom (limited life cycle), then enter
"sleep" mode.
Sensor and/or movement failure: your Stamp program should continually
monitor the progress of the conveyor, looping, incrementing a counter, and
testing the sensors. If the conveyor has not reached it's expected
checkpoint after a certain period of time, the Stamp should shut down the
conveyor motors and report the error. The binary sequence of the magnets
and reed switch closures is predictable; the Stamp must monitor this
sequence, and take appropriate action if there is a failure of any kind.
This is not an exhaustive analysis of your particular situation; merely an
assertion that you need to ensure that all possible failure modes have been
considered, and that you've dealt with every possibility. Remember; Murphy
rules, and he can be a real S.O.B.
Hope this helps...
Steve
Comments
I found a stainless steel prox switch sold by Automation Direct that is
IP68 rated for use under up to 200 and some odd feet of water. This
looks like a good solution -- plus it is simple...
I was unaware that there was actually a designation (IP68) for devices
rated to work under water. I should have done more searching before I
asked.
As for the safety concerns, see below...
On Fri, 5 Oct 2001 10:54:09 -0400 "Steve Wilke" <slwilke@t...>
writes:
> Any chance someone could be injured?
Two tons is not something I would like sitting on top of me, so we are
planning to use an STI light curtain with redundant, force-guided,
self-monitoring relays to interlock the hardware with. Light curtain
broken = loss of power to motor and brake (see below). Controller then
waits for clear condition and operator reset button input before
re-starting motor.
> What if the power were suddenly cut off when the conveyor was in
transit?
If the power goes out the motor brake comes on. It is a failsafe brake
that must be energized via a controller output to allow the motor to
rotate.
Does this satisfy your concerns?
> Does this satisfy your concerns?
<snip>
It sounds as though you're headed in the right direction, have addressed
numerous concerns, and have introduced multiple fail-safes to your project.
I didn't know about the IP68 specification either; I'm only vaguely familiar
with various NEMAn specifications. (the higher the "n" designation, the more
water resistant the device is, with an exponentially higher price).
Since your project does indeed seem to have very significant safety issues,
I strongly suggest that you inquire about the MTBF (Mean Time Between
Failure) and the rated number of operating cycles for the control equipment
for your operating environment. Then cut those numbers in half, and have
your Stamp program keep track of the number of cycles and elapsed time;
stored in non-volatile RAM (I suggest using external static RAM instead of
the Stamp's internal EEprom, as the number of cycles is limited). Once 1/2
the rated number of cycles or time has elapsed, a "periodic maintenance
required" message should be displayed somehow; even on a simple light with
an overlaid message. Your maintenance personnel should be stocked with an
adequate supply of replacement sensors. They should replace all the sensors
at the earliest opportunity, and re-order new sensors for the next cycle or
failure replacement. The cycle count should then be re-set. The operator
of the conveyor should not have the capability to override the expiration of
the safety control equipment.
If the "periodic maintenance required" is ignored for an excessive amount of
time, or excessive number of cycles, the conveyor's operation should be
suspended by your Stamp program until the maintenance takes place.
Don't forget; one day your Stamp will "wear out" too; particularly if your
program writes to the internal EEprom! It would be a good idea to have
several pre-programmed and tested Stamp modules sitting in Maintenance for
that dark day when your Stamp gives up the ghost, to minimalize down-time.
Early replacement of electrical equipment is very typical in the automotive
industry. The Oldsmobile division of GM used to replace every piece of
electrical equipment on their assembly lines every year; as down-time was
much too costly to take a chance on even very high-quality equipment
failures.
Hope this helps...
Steve