Iron Reign’s R2V2 - Safety Features and Protocols

Tags: innovate and control
Personhours: 3

Iron Reign’s R2V2 - Safety Features and Protocols By Coach

Let's robotify this!

What if you took an RV, converted it into a mobile learning lab, and then turned that into a droid? What would you call it? We call it R2V2

Intrinsic Hazards and Safeties
Primary Safety
Backup Safety
Site Safety
Operational Safety

Intrinsic Hazards and Safeties

Intrinsic Hazards

It’s important to keep in mind that our mobile learning lab is based on a Class A motorhome chassis. As such it weighs on the order of 16 tons and represents a real danger with any kind of untrained operation. There is no place for any lack of vigilance and caution for safely operating this vehicle.

Intrinsic Safety

R2V2 has multiple emergency stop overrides and we employ them redundantly in fail-safe modes. The only intrinsic safety lies in the reliable slow motion of the vehicle with max speed under normal human control. The engine will only be run at idle speed and the PSO will only apply acceleration if needed to get the vehicle moving at a walking pace ground travel speed. The acceleration pedal is not automated. People in the test zone will still need to maintain safe distances. Therefore, we have established Operational Safety and Site Safety protocols.

Primary Safety Operator

The Primary Safety Operator (PSO) is our coach, who is the owner and operator of the vehicle and who will always be behind the wheel while the vehicle's engine is on. Only he has the authority to start the engine and operate the gear shifter. He also has the ability to physically override the primary brake and independently operate the parking brake. He is the only one able to apply any force to the accelerator via normal foot control. He is also able to kill power to the whole control system, thereby engaging passive braking and locking the steering.

Remote Safety Operator

The remote safety operator will be a student trained and solely assigned the task of the ensuring safe operations from the outside. Their mandate is to stop the vehicle if they see anything wrong. Their interface is a normal gamepad where they have only two controls, either of which will stop the vehicle. The left trigger is configured as a deadman switch and has to be held in order for unbraking (and therefore motion) to happen. They can also press the red button on the gamepad to stop the opmode, thus idling the unbrake.

Remote Driver

The remote driver also has access to a kill button on their gamepad. They are responsible for starting and stopping automation by controlling the opmode. They can engage in remote steering or enabling automated steering, and can unbrake the vehicle, thereby allowing overrideable movement.

Fail Safes

The brake and steering are the only two systems under automation.

The brake is the real safety system and is designed to fail into braking mode. The brake pedal is continually pushed toward stopping the vehicle by rugged bungees.

Unbraking or counter-braking requires a motor to counteract the passive bungee tension and allow the brake pedal to release.

If power fails to the counter braking motor, the tension in the bungees is enough to back-drive the motor and apply pressure to the vehicle's brake pedal.

If the control system locks up with counterbraking applied and doesn't respond to any of the kill commands, the Primary Safety Operator still has the ability to overpower the counterbrake motor. The motor simply doesn't have the torque needed to compete with a human leg. As stated elsewhere, 3 people have access to multiple means of shutting down the control system and we find this extremely unlikely, but are keeping this potential failure mode in mind.

The steering motor simply locks up in any kind of failure mode. The gear ratio is approximately 200:1 and the gentle natural tendency of the steering column to center when no input is applied is insufficient to back-drive the steering input. There are too many factors to decide how steering should be applied in an emergency situation. So we decided to take steering out of the equation and simply rely on stopping the vehicle while locking the steering motor. Removing power, killing the opmode and not receiving continuous unbraking commands all result in engaging braking and locking steering to the current angle.

All of the above are testable both off the vehicle and while installed.

We can’t say it’s impossible for the control software stack to crash in a state where it continues to send a safety-disengage PWM position signal. We’ve never seen it happen and we believe it’s prevented by the interaction of the firmware and the app – but we can’t say it’s impossible. It’s also possible to imagine a freak condition where the servo gearbox breaks and locks up in the safety-disengaged position. So we decided to create a redundant backup safety.

Site Safety

Site safety speaks to conditions of the site and surrounding properties that informs the risk to people and property.

The site is the backyard 3 acres of our coach’s residence and the primary structure on the site is the home itself (blue oval, below). The site slopes downhill fairly steeply from the back of the house to the creek that cuts all the way across the property at the bottom (right side in the image). The site is heavily forested with the exception of an open glade, a clearing for a future workshop, and a gravel driveway connecting them uphill to the main driveway for the residence.

With the exception of the driveway, the open areas are surrounded by impassable forest (yellow line in the overhead shot below). By impassible we mean that the R2V2 would stall on trees and undergrowth within 10 feet if it tried to push through the surrounding brush. In addition to the forest/undergrowth, all of the neighbor’s properties are further isolated by being either significantly upslope or on the other side of the creek. The creek has cut an impassable 20 foot sudden drop across the property’s southern border, effectively creating a moat that would protect the only neighbor property that is downslope. Right now there is no path to the creek that R2V2 could take.

The future workshop site (white oval) is the only area that the R2V2 will be allowed to operate in. The ground there is mostly level and compacted. Still, team members need to keep this area clear of possible stumbling hazards. We will refer to this area as the arena.

Operational Safety

Operational Safety consists of the training and protocols that will be followed to assure minimal risk to the participants.

R2V2 will only be operated on a closed course like the arena. Closed means that we have good control and awareness of all souls on a private course and no other vehicles are moving.
Our coach will always be present and supervising operations. The vehicle will only be started by coach.
There will be a minimum of three operators, the Primary Safety Operator, a Remote Safety Operator and a Remote Driver. These roles were defined above.
Additional spotters will be able to call out safety concerns by issuing a Halt call and hand signal.
Every session will begin with a meeting to discuss all planned movements to be sure that everyone in the area knows what to expect as well as what could go wrong and to address specific safety concerns.
While we may use "movie magic" to make it appear otherwise, no participant will be allowed to approach closer than 25ft to the path of the (slowly) moving vehicle
The vehicle will be kept to a maximum speed of about 5mph (jogging speed) when under automation

Date | August 11, 2023

Iron Reign Robotics

Please help support our team! $40 buys a motor, $55 buys a new battery, $150 adds controllers and sensors, $500 pays tournament fees, $750 upgrades our chassis