Home

pdf

1. Verify that ANT watchdog is activated properly by killing driving safeguard on purpose Bumper to stop the robot in case of collision at bumper level Press wireless E stop button before collision Press E stop button Thorough software testing also in simulation and code reviews keep code as simplistic as possible Bumper to stop the robot in case of collision at bumper level Press wireless E stop button before collision Press E stop button Implement RGB D collision checker that also sees obstacles below and above laser plane Operator with wireless E stop must always watch out for obstacles that the laser might not see children or luggage on the floor information screens mounted above laser height etc
2. Force Motor max continuous torque Motor max peak torque Wheel diameter Continuous force 103 2258064 N Peak force 309 6774193 N Pressure Case 1 leg blocked between the platform and a wall contact surface 20x5 cm 100 cm Continuous pressure 1 032258064 N cm Peak pressure 3 096774193 N cm Conclusion Pressure applied by the bumper on the body is acceptable Bumper is useful if the speed of the platform is lt 0 28 m s If 60 kg of battery is removed a speed of 0 32 m s is acceptable force is not relevant because of the big surface of the bumpers Figure 2 Analysis of the bumpers the table it resulted a speed of maximal 0 28m s at which a safe operation of the bumpers can be guaranteed Furthermore the potential pressure applied to an object or a human leg that is blocked between the platform and a wall is given and classified as acceptable as it is comparably low To verify this we performed a test where the robot collided with a human who was standing in front of a wall As determined by the calculations the resulting pressure was low enough to not cause any injuries ICT FP7 600877 SPENCER Deliverable D6 6 Figure 3 Safety zones of the collision checker around the SPENCER robot Error zone in red warning zone in yellow 4 Immediate Safety Measures As an outcome of the FMEA performed at the Integration Meeting the following immediate measures have been taken and will be taken in ou
3. Table 1 Acceptable risk Frequent 1 per week or more often Occasional 1 per month Infrequent 1 per Frequence year Improbable 1 per 10 years Almost impossible 4 in the life of the robot Slight permanent injury to health irreversible damage to the platform technician intervention needed Severe permanent injury to health irreversible heavy damage to the platform repair at factory Curable injury with incapacity to work reversible slight damage to the platform on site repair possible Curable injury without incapacity to work reversible no visible damage to the platform No effect on persons and on platform Death platform destroyed 1 2 3 4 need medical care Figure 1 Frequency risk table All potentially occuring failure cases are classified into the 5 fre quency and the 5 severity classes as specified in the table From the combination of severity and frequency an acceptability of the incurred risk is derived red boxes denote unacceptable risks green boxes represent acceptable risks ICT FP7 600877 SPENCER Deliverable D6 6 2 Failure Mode and Effects Analysis The Failure Mode and Effects Analysis FMEA is a formal tool to determine potential issues with respect to the safety of a given system in our case the mobile robot platform and to find measures to solve these issues The main steps of this analysis are a component
4. The software emergency stop status bit has to be cleared explicitly by user input before any further drive motion can be executed The integration of an RGB D based obstacle detection module to also detect obstacles at or below laser height is planned It is supposed to function in a similar fashion with a warning and an error zone This is on going work and we expect a collision checker based on 3D data to be operational in Integration Week IV at the latest Braking tests were performed during the Integration Meeting by placing an obstacle in front of the robot platform at laser height as well as by manual triggering via the wireless emergency stop An example of such a braking test can be seen in a video on the web site of SPENCER ICT FP7 600877 SPENCER Deliverable D6 6 see http spencer eu videos braking_test1 mp4 The braking distance of the robot was found to be currently too long 20 40 cm at velocities higher than 0 7 m s which is due to a too shallow deceleration ramp configured in the motor controllers This configuration will be changed so that a faster braking maneuver can be performed We will address this for the next Integration Week III where we will repeat the breaking tests with the modified deceleration ramps As a further measurement we are considering the necessity to increase the thickness of the foam layer on the bumpers if we have evidence to do that from some additional brake tests 5 Conclusions We perf
5. plane will not be detected Press wireless E stop Press E stop button Indicate in user manual that obstacles above the bumper wil not be detected Ask user to check that when the door is open the safety LED is ON Bumper to stop robot in case of collision Press wireless E stop button Press E stop button Analyze bumper efficiency Regularly check that both relays are properly working by inspecting LEDs to ensure redundancy document in manual Bumper to stop robot in case of collision Press wireless E stop button Press E stop button Analyze bumper efficiency Ask user to check that when the door is open the safety LED is ON Press wireless E stop button Press other E stop Press wireless E stop button Press E stop button Analyze bumper efficiency Ask user to check the bumpers at start Vehicle tilting High speed in a curve Platform does not tilt gravity center low enough Vehicle tilting Stability Vehicle tilting Powerful brake during emergency stop Steep slope Platform does not tilt gravity center low enough Potential tilting Vehicle tilting Child on the platform Someone pushing or pulling the platform Children climbing the platform Platform will tilt but not fall gravity center too low Obstacle seen by laser scanner platform do not move Liquid in th
6. above laser plane Potential collision 10 Obstacle avoidance will decrease speed if obstacles in surroundings Curve at high speed to be tested in secured area If test fails then reduce maximum allowed speed Obstacle avoidance will decrease speed if obstacles in surroundings Block robot from excessive slopes Emergency stop buttons Emergency stop to be tested at maximum speed in secured area If test fails reduce the maximum allowed speed Document maximum allowed slope that the platform can drive upon The person with the wireless emergency stop button must stop this action The person with the wireless emergency stop must remove the child Obstacle detection to stop the robot Bumper to stop the robot Press wireless E stop button Press E stop button Operator with wireless E stop must closely monitor the robot s behavior especially in the vicinity of humans Bumper to stop the robot in case of collision at bumper level Press wireless E stop button Press E stop button Thorough software testing also in simulation and code reviews keep code as simplistic as possible Operator with wireless E stop must closely monitor the robot s behavior especially in the vicinity of humans Obstacle detection to stop the robot Bumper to stop the robot in case of collision at bumper level Press wireless E stop button Press E stop button
7. e platform Does not receive commands from planner Liquid spilled by someone Motion planner crash Software bug Network problem Short circuit in the electrical circuit Main fuse burns Laptop can be destroyed Driving safeguard detects timeout after 100 ms speed commands are set to 0 The platform stops within the braking distance Receives wrong commands from planner Planning failure Software bug Network problem Low risk of collision due to low level obstacle collection still being active Driving safeguard ROS Sends bad commands Software bug in driving safeguard Potential collision Sends no commands Does not receive sensor input Crash of driving safeguard Network issue Laser driver crashed Potential collision but ANT watchdog will detect timeout after 100 ms The platform stops within the braking distance Stops sending obstacle status messages Driving safeguard detects timeout after 100 ms speed commands are set to 0 The platform stops within the braking distance Sends wrong obstacle status messages Obstacle detection ROS Software bug Potential collision Sends no obstacle status messages Crash Software bug Missing sensor input Driving safeguard detects timeout after 100 ms speed commands are set to 0 The platform stops within the braking distance Does not detect obstacles Obstacle below or
8. he actuators and the collision avoidance module work reliably many failures of the higher level components can be handeled In particular stairs and overhanging obstacles above the laser plane are hard to detect The current solution to this problem is to restrict the access to certain areas by annotating them in the map defining no go areas Furthermore and most importantly the robot is equipped with a remote switch a safety certified radio emergence button to stop the robot In general we note that the last resort for any kind of failure case are the emergency stop buttons on the platform and the certified remote button by which the platform can be stopped immediately at any time This remote emergency stop button is held by a dedicated person who is instructed to always maintain a free sight to the platform and the environment in immediate vicinity of the robot Also this person must not be distracted by other tasks or by other people e g having conversations during operation Thus technically the person holding the certified remote emergency button can be seen to be the driver of the platform In addition to this important safety component we established more measures as we want to reduce the need for intervention of the operator without sacrificing safety described in Sec 4 3 Analysis of the Bumpers In addition to the general FMEA we particularly analysed the usefulness of the bumpers on the robot platform The spread s
9. heet used in this analysis is given in Fig 2 From the measures given in ICT FP7 600877 SPENCER Deliverable D6 6 Question Answer What happens if the robot batteries run empty ANT system detects low battery level and stops robot What if prior to that the laptops run out of battery e g because they are not properly powered from robot ANT watchdog detects communication prob lem robot is stopped What if any of the robot PCs crashes freezes Or a laptop ANT watchdog detects communication prob lem robot is stopped What if any of the sensor cables comes loose while moving or is not properly connected while e g in serting the laptops Laser communication is checked by ANT robot is stopped if laser sends no data What if one of the wheel encoder cables comes loose or breaks Failback mechanism implemented in ROS checks if wheel encoder values don t change although the robot should be moving if yes it sends an emergency stop command What if any of the software components responsible for obstacle avoidance crashes If no commands are sent the driving safe guard stops the robot after 100 ms If wrong commands are sent robot is stopped remotely What if localization fails The driving safeguard checks for big jumps in motion commands and limits velocity How does the robot detect obstacles below laser height such as very small children Currently n
10. issue detected by ANT ANT ok signal opens the safety Bad information sent by scanner Device not working Remote control out of range Any relay blocked Any relay blocked closed Internal scanner failure Failure of device Operator too far from robot Failure of a rela Failure of a relay Potential wrong movement of the platform potential collision Ple D SIL 2 safety components the safety loop is opened Distance remote device monitored the safety loop is opened Redundancy safety loop opens platform won t move E stop button does not open safety line Switch failure Redundancy safety loop opens platform won t move Emergency stop button failure Platform does not stop potential collision Door closed not detected Cable broken Switch broken open Safety loop open platform won t start Door open not detected Bumper pressed not detected Cable short circuit Switch broken closed Cable broken redundancy safety loop opens platform won t move Door open not detected platform may move with door open NC circuit bumper considered pressed redundancy 2 cables safety loop opened Bumper pressed not detected Switch broken in open position NC circuit bumper considered pressed redundancy 2 cables safety loop opened Bumper pressed not detected Bumper not detecting obstacle Line touching the chassis 24V
11. o detection below laser plane Robot is stopped remotely An RGB D based collision checker is under development How does the robot avoid driving onto stairs esp with negative inclination and escalators The stairs will be marked in the map If robot still approaches stairs remote emergency but ton will be pressed How to prevent the robot from driving onto horizon tal escalators moving sidewalks Same as Stairs How does the robot detect and avoid driving into glass surfaces e g the elevators Same as Stairs Can children climb onto the robot s base Will the robot still drive Collision checker detects children and stops robot If not the robot will be stopped re motely Can the robot fall over by pushing it or climbing onto it No the center of gravity is low enough Is it possible to spill liquids into the robot possibly causing an electrical short Main fuse burns Computers can be damaged Who takes over the responsibility of operating the wireless emergency stop A dedicated person who is sufficiently in structed and must not be distracted Table 1 What if questions ICT FP7 600877 SPENCER Deliverable D6 6 Table 1 Bumper analysis Limitation of efforts and of energy Max pressure Max effort 150 N cm2 Max Kinetic energy Energy Energy Plaftom weight Plaftom weigh 130 kg Vmax Vmax 1 8 m s Ecin at V Ecin 210 6 J V Ecin
12. ormed a detailed analysis of the potential failure cases of the robot platform as well as their potential impacts and possible measures to mitigate them Apart from the safety certified remote button which is already an integral component by which the robot can be stopped at any time we established several immediate safety measures which have already been or are being implemented The on going measures are an extended collision checker based on 3D data from a forward looking RGB D sensor and better configurations of the drive motor controllers that allow for steeper decel eration ramps Both measures will be implemented and tested during Integration Weeks III and IV respectively Appendix FMEA Table The FMEA sheet used for this safety audit is shown on the following pages Component functionality Potential failure mode Bad command sent to the ANT box Potential failure cause Computation failure Bug in software Potential failure effect Severity Wrong movement of platfrom potential collision Stairs not detected Perception problem Bug in software Robot falls into the stairs potentially crushing people SPENCER Software in general Obstacle at height of bumpers not detected by sensors Perception problem Bug in software Potential collision Obstacles above bumpers not detected by sensors Perception problem Bug in software Potential collision Movement command sent d
13. r future work We implemented and tested a collision checker which acts as a virtual bumper This module is also described in deliverables D5 3 and D6 2 It consists of two ROS based software com ponents a laser based low level obstacle detection module and a driving safeguard The former module detects any obstacles at laser height within a warning zone and an error zone When an obstacle is detected in the warning zone which starts at 60 cm in front of the robot in its direction of travel and 20 cm to the sides the linear velocity of the robot is limited to at most 0 3 m s by the driving safeguard see Fig 3 The angular velocity is scaled down accordingly The error zone begins at 35 cm in front of and 3 cm to the sides of the robot and prohibits any motion Movement in backwards direction is still allowed if the rear is clear and vice versa Sharp turning on the spot is only allowed if both front and rear are clear The mentioned parameters are still subject to additional fine tuning The reaction time of the system was estimated in experiments to be around 50 100 ms The driving safeguard also monitors for timeouts of the collision status or velocity commands and prompts for the robot to stop immediately in case a timeout occurs Lastly any high level component running on the SPENCER robot platform can ask the driving safeguard to trigger a software emergency stop in case something unexpected happens
14. spencer Grant agreement no FP7 600877 SPENCER Social situation aware perception and action for cognitive robots Project start April 1 2013 Duration 3 years Safety Audit Supplementary Report Due date month 19 October 2014 Lead contractor organization BLUE Dissemination Level PUBLIC ICT FP7 600877 SPENCER Deliverable D6 6 Contents 1 Introduction 3 2 Failure Mode and Effects Analysis 4 3 Analysis of the Bumpers 4 4 Immediate Safety Measures 7 5 Conclusions 8 ICT FP7 600877 SPENCER Deliverable D6 6 Abstract This report documents on the tests and measures undertaken by the SPENCER consortium to provide a formal analysis of the potential failure modes of the robot platform used in the project To do this we utilize an established method called Failure Mode and Effects Analysis FMEA The result of this analysis as well as the consequential safety measures that we have taken are given in this report 1 Introduction During Integration Week II in Toulouse representatives of the four partners BLUE CNRS ALU FR and TUM performed a formal analysis of the safety aspects of the SPENCER robot platform The major part of this was the application of a Failure Mode and Effects Analysis as explained in the next section Furthermore BLUE performed a thorough analysis of the usefulness of the bumpers see Sec 3 and we established immediate measures to take for an improved safety Details are given in Sec 4
15. touching chassis Batteries empty when robot in movement Switch blocked broken in closed position Obstacle too light Broken cable Broken cable Not being recharged Platform do not stop potential collision Collision with obstacle Short circuit the internal protection of power supplies cuts power main fuse burn ANT detects battery level first gives a warning then ANT ok signals opens the safety loop Some battery connectors unplugged All batteries not connected Human error Human error Still 24V available but 1 2 capacity Only 12V avalable ANT detects battery low ANT ok signals open the safety Current measure Bumper to stop robot in case of collision at bumper level Press wireless E stop button Press E stop button Detection ranking Recommended action Analyze bumper efficiency To be documented Indicate in the user manual that 1 New software must be validated in safe unpopulated area 2 Test in populated area must be done with validated software Press wireless E stop Press E stop button Indicate in the user manual that the robot has no fall protection sensor Before deployment in populated area check for stairs and protect them Bumper to stop robot in case of collision Press wireless E stop button Press E stop button Analyze bumper efficiency Indicate in the user manual that objects out of laser scanner
16. uring charging Bug in software Bad manipulation Safety loop opened when charger plugger in platform door open platform doesn t move Communication problem with ANT Wrong command executed by the motor Cable broken Network problem Software problem Controller crash Hardware failure Watchdog in communication problem detected by ANT safety loop opens ANT detects odometry issue ANT ok signal opens safety loop Do not activate brake when commanded Controller crash Hardware failure Commanded speed 0 the motor stops Motion controllers Wrong command and brake not activated Controller crash Hardware failure Robot turns on itself potential risk of collision ANT lite Wireless E stop Safety loop Power supplies Batteries Wrong command and brake not activated on both motors 2x controller crash Hardware failure Wrong movement of platfrom potential collision CAN communication not working Bad command sent to the motor controllers Cable broken Bug in ANT software Hardware failure CAN issue detected by ANT ANT ok signal opens the safety loop Wrong movement of platfrom potential collision ANT ok signal not activated Bad communication with the ANT box Bug in ANT software Hardware failure Scanner problem cable broken perturbations Safety loop not activated potential collision Communication
17. wise listing of all potential failure modes an assignment of severity and frequency levels for each such failure mode and the determi nation of actions to solve each failure mode The result of the FMEA performed for the SPENCER platform is shown in the appendix In addition we also provide a list of What if questions in ta ble 1 which gives a more natural summary However we note that the formal FMEA sheet in the appendix is more detailed and should be used for reference It also provides a quantification of the different failure modes based on the different levels of severity and frequency as given in Fig 1 Here we see the 5 different levels we defined both for severity and for frequency We also classified each failure mode into acceptable risk and unacceptable risk and this classification was done based on the combination of frequency and severity as also shown in Fig 1 where red cells correspond to unacceptable risks and green cells to acceptable risks A summary interpretation of the resulting FMEA table see appendix is given as follows e Most failure modes have acceptable risks either because their severity is comparably low or because they occur too seldom to be considered as unacceptable e The failure modes to which we assigned an unacceptable risk mainly concern higher level software components and much less the low level components This means that as long as the low level components including the sensors t

pdf

Contents

Download Pdf Manuals

Related Search

Related Contents