Can I ask what safety schemes of conformity the RMC’s conform to? Do they have a safety rating? what is the MTBF? This infomation is vital for safety planning.
Thank you
Pete
UL, CSA, CE. The RMC150 can be rated for Class 1 div 2 for oil patch work.
I don’t know the MTBF statistics.
The MTBF stats can be calculated but there is little resemblance between the MTBF calculations and reality or even what is desirable. For instance we add parts ( transorbs ) that are meant to absorb energy and fail to protect the rest of the board. Technically every part reduces the MTBF but these parts we add save the motion controller from serious damage and can be replaced easily whereas the surface mounted parts are not.
Most failure occur from external events. Wiring mistakes and electrical surges such as lighting strikes and welding.
To calculate the MTBF we need to know the MTBF of every part on the board. In some cases this data isn’t accurate or available.
As for the motion control safety we provided the error bits and the means to auto stop in a few different ways depending on the application.
Thanks for your reply, I now understand the difficulty in working out a safety level and how it may or may not reflect real world usage.
In regards to the error bits such as a fault with an encoder would it be acceptable for a safety plc to read these error bits and act accordingly? Or does the safety plc need to monitor the encoders directly?
What I am trying to figure out is if I would need a safety plc to directly monitor the encoders and calculate speeds, accel, decel, for errors or if the rmc is safe enough to be relied upon and for the safety plc to just monitor the rmc?
My potential application may involve moving people and I need to ascertain if I need to monitor the whole system or let the rmc do the monitoring and just use the safety plc to read the status bits and take appropriate action.
Thanks for all your help
Pete B
Our controller is used at Universal Studios in Orlando, Florida. The ride use to be Jimmy Neutron but I have heard the ride has been changed.
This ride is the most or one of the most reliable rides they have.
I will have to get all the details but I know the feed back was analog. I will need to ask the person that helped with that application.
SInce a ride doesn’t require precision analog was used. It may be the analog feedbacks went to both our controller and the PLC.
This application did not use Ethernet. Just analog feed back.
I will try to get more details during the week.
In most other applications with a PLC the PLC monitors the status and error bits and handles fault conditions by sending commands over Ethernet to the PLC. The RMC150 does have two digital inputs that people have used as run/stop and fault inputs.
A user program can continually check communication status. If communications fail then the RMC can stop the axes. There are multiple options available.
In the universal studio application the PLC provide the RMC with an analog reference to follow. The RMC was just a slave “geared” to this reference. The feed back positions went to both the RMC and the PLC so the PLC knew where each axis was supposed to be and compared the reference position to the actual feed back position.
Pete B,
If you need to conform to any safety standards, you will likely need a safety-rated controller. The RMC is not designed to be a safety controller. In a hydraulic system, one of the main safety features is blocking and dump valves, and a safety controller would typically control these valves and be connected to all the ingress detection components and logic controllers, as well as to the RMC.
If you really need some MTBF numbers, we have calculated some based on failure rates in the field, and may be able to dig some up for you. We have found the those MTBF numbers are most useful just for filling in paperwork that may require it. In practice, the reported failure rate (not caused by external factors) of the RMCs is very roughly one or two percent of all RMCs that have been produced. Also, failure rates can change with every batch of each electronic part that makes up the RMC. We have no way of calculating or knowing this, so any MTBF we provide can change significantly anyhow.
Thank you Peter and Jacob for you helpful replies.
Hi Jacob, what time frame is that failure rate based on? All products will have a 100% failure rate given enough time!
One very simple option I see is to program the RMC to always have an output high during normal operation and turn this output off when a status bit error occurs. A safety PLC would always look for this and take action such as shut off valves and dumping. Even if the RMC crashed and reset this output would be switched off.
Does the above sound like a safe method? are there any issues apart from an error in the user program (such as a stuck loop) that would cause this input to stay high during an error with the rig or the RMC
Thanks
Pete
ps any MTBF numbers available would be great to have.
Thanks
Many, probably most RMCs never fail. They are “retired”. Failure depends on some many things like not getting hit by lighting, being a fire, welding next to the feed back lines, poor power regulation etc.
Yes, I mentioned that above. There have been some imaginative ways of using the outputs. In one case the output of multiple RMCs were wired in series and energizing a relay. If any the of the RMCs detected a fault the output would open and the relay would then open shutting off the power.
The hard wired safety method will always work and very quickly.
Our numbers are only as good as the manufacturers numbers we get from them and how good their components are. You have to realize that if we add a fuse it reduces the MBTF but you wouldn’t want to be without it.
Most safety PLC’s are very picky and specific about what devices they are allowed to consume in the safety circuit (special certifications and testing). As already suggested I typically integrate the RMC controllers by monitoring the communication link from both ends (RMC and PLC) with a discrete I/O in both directions to take the appropriate actions in the event of communication loss. As for the emergency stop circuit I am still a little old school and like to hardwire everything and this typically includes dump valves on any accumulators as well as A&B to tank valves underneath the servo valves depending on the application.