Let's not do this!
Intrinsic Hazards and Safeties
Intrinsic Hazards and Safeties
It’s important to keep in mind that with a 3 to 4 ton class mini excavator we are dealing with forces that can crush and pull down trees, destroy structures and potentially end lives. There is no place for any lack of vigilance and caution for safely operating this machine.
The machine has two emergency stop controls and we employ them redundantly in fail-safe modes. The only intrinsic safety lies in the reliable slow motion of the machine. The engine will only be run at idle speed. Its normal ground travel speed is equivalent to a slow walk and it cannot move faster than an able bodied person can run. There are still cautions around this. Swinging the arm when extended can cover a lot of ground quickly. People need to maintain safe distances. Therefore, we have established Operational Safety and Site Safety protocols.
The Primary Safety functions as a lock-out of the hydraulic pump. When the safety is engaged, no part of the excavator will move with the possible exception of a very slow sag of heavy components to the ground. For example, the bucket and arm may sag by a few millimeters per second if they were left off the ground.
The Primary Safety is constantly engaged by a rugged bungie. To disengage the safety (UnSafed – therefore hydraulics activated) a servo can actively hold the safety lever down.
We can’t say it’s impossible for the control software stack to crash in a state where it continues to send a safety-disengage PWM position signal. We’ve never seen it happen and we believe it’s prevented by the interaction of the firmware and the app – but we can’t say it’s impossible. It’s also possible to imagine a freak condition where the servo gearbox breaks and locks up in the safety-disengaged position. So we decided to create a redundant backup safety.
The Backup Safety uses similar fail-safe design principles as the Primary, but it is completely independent of the normal control system.
The Backup Safety is operated through an independent standard RC (digital radio control) transmitter and receiver.
- The Backup Safety kills the engine when it is Safety-Engaged.
- The Backup Safety is also normally pulled into its Safety-Engaged position by a tensioning system.
- To suppress/disengage the Backup Safety, a servo can hold the kill switch in the down position.
- The servo is configured as a deadman switch – the operator (a different operator than the Primary Safety operator) needs to continuously squeeze the throttle on the RC transmitter for the servo to remain in the Safety-Disengaged position. The throttle is spring loaded to return to Safety-Engaged.
- If the servo or loses power or browns out, the bungie will pull the safety back into the engaged position.
- If the RC receiver stops receiving active disengage commands from the transmitter, the safety will re-engage. This covers out-of-range conditions. It also applies when the transmitter is turned off.
- We specifically chose a digital servo that does NOT have a memory of the last good position signal. Some digital servos will continue to hold the last position they received if they continue to receive power. The servo we chose does not have this feature, so if the PWM position signal fails for any reason, but power remains on, the servo will fail to hold position and the safety will re-engage.
- All of the above have been tested
Site safety speaks to conditions of the site and surrounding properties that informs the risk to people and property.
The site is the backyard 3 acres of our coach’s residence and the primary structure on the site is the home itself (blue oval, below). The site slopes downhill fairly steeply from the back of the house to the creek that cuts all the way across the property at the bottom (right side in the image). The site is heavily forested with the exception of an open glade, a clearing for a future workshop, and a gravel driveway connecting them uphill to the main driveway for the residence.With the exception of the driveway, the open areas are surrounded by impassable forest (yellow line in the overhead shot below). By impassible we mean that the excavator would stall on trees and undergrowth within 10 feet if it tried to push through the surrounding brush without skillfully employing the arm and bucket to uproot the vegetation. In addition to the forest/undergrowth, all of the neighbor’s properties are further isolated by being either significantly upslope or on the other side of the creek. The creek has cut an impassable 20 foot sudden drop across the property’s southern border, effectively creating a moat that would protect the only neighbor property that is downslope. Right now there is no path to the creek that the Mechavator could take.
The future workshop site (white oval) is the only area that the Mechavator will be allowed to operate in. The ground there is mostly loose soil but does have rocks, mounds and branches that should be treated as trip hazards. Team members need to be aware of the terrain at all times. We will refer to this area as the arena.
Operational Safety consists of the training and protocols that will be followed to assure minimal risk to the participants.
- Mechavator will only be operated in the arena.
- Our coach will always be present and supervising operations. The machine may not be started without an OK by coach.
- There will be a minimum of two operators, a driver and a safety operator. The primary driver will operate either the arm or the chassis as well as the primary safety. The safety operator will operate the backup safety and is primarily responsible for nothing but safe operations of the vehicle.
- A secondary driver is required if the plan calls for operating the chassis and the arm at the same time.
- Every session will begin with a meeting to discuss all planned movements to be sure that everyone in the area knows what to expect as well as what could go wrong and to address specific safety concerns.