Some tips on building and keeping up ultra-safe rides from the engineers who design them
By Dr Michael Wrinch and Matt Keeler,
Note from the authors: A few weeks ago, we started working on an article about the general safe ride system design. It was our intention to write something that would give readers some understanding of safe ride system design and the ways it could be implemented to prevent accidents. Unfortunately, our writing of this article coincided with a tragic event in Ohio. As readers are probably aware, several people were injured and one was killed due to the malfunction of a ride at the Ohio State Fair. We mention this ahead of time to make clear that it was not our intention to capitalize on such a tragedy. Our only aims are to promote safer machine design practices and to help prevent unnecessary accidents wherever possible. Our hearts go out to individuals and families affected by the event. We have no affiliation with this ride, the manufacturer or any other stakeholder involved with this incident.
The Philosophy of Safety
We recently found ourselves at ‘Playland’, an amusement park in Vancouver where we live. The park has a variety of adrenaline-inducing rides for visitors of all ages, but the enormous green pendulum called ‘The Beast’ (pictured above) is everyone’s favorite. The monstrous swinging machine is one of those rides that guarantees to fulfill anyone’s mortal fears of heights, speed and total disorientation. Thrill-seekers have traveled from all over to enjoy the experience ‘The Beast’ provides.
If you’ve ever been on a similar ride, you may be familiar with the safety device that keeps us strapped to our seat. It’s a simple metal U-shaped restraint that ratchets down onto the lap of the rider and holds everyone in place during the ride. When the ride is complete, the restraint is released semi-automatically, allowing the guest to stand up and walk off onto the ride’s platform.
Control engineers design these safety restraints in such a way that prevents them from ever failing mid-ride. They fail so rarely because these engineers go to great lengths to predict and prevent their malfunction. As a Functional Safety Engineer and Ride Designer, we hope that this article might help to explain our design philosophy and the thought process that goes into creating safe amusement park rides.
Designing an ultra-safe system of any kind requires a strong, multi-disciplined team and a thorough hazard analysis. The most important step is to identify key safety functions. In other words, the design team must identify what could go wrong in order to prevent those things from happening. There are a few guiding standards (IEC 61508 and ISO 13849) that are used by designers as a starting point when beginning a project. In addition, though, there are five key design philosophies that we consider when creating a fault-tolerant system. We’ve outlined them below.
- 1. High Mean Time to ‘Dangerous’ Failure
Everything eventually wears out and, if not maintained, will fail. Understanding the statistical likelihood of a component failure is critical. This is called the “mean time before failure” or MTBF. When considering the MTBF, there are many questions that have to be asked. For example, how many times can a simple latch open and close before it is no longer latching properly? Is it ten thousand cycles or ten million?
The analysis does not stop there. The MTBF is only half of the question. In order to prevent over designing a system, the question of exactly how the system will fail must be considered.
Failure, after all, takes two forms: general safe state failure and dangerous failure. A dangerous failure, or MTBFd, is obviously much different than a general failure. In the case of a restraint latch on ‘The Beast’, failure could mean that the latch remained locked and a guest being stuck in their seat, but it will not cause them harm. If the MTBF is five years, then we would implement a program where the part is replaced every two years. By looking at the MTBF, we can proactively replace components long before they are in the statistical realm of failure.
2. High Diagnostic Coverage
The next important feature of a safely-designed system is the capacity its health and status to be properly diagnosed. This is called having “diagnostic coverage”. For example, a locking latch that requires diagnostic coverage has sensors that detect the latch’s position and report whether or not it is locked. In order to maximize diagnostic coverage, the sensors that detect the position would need to also be monitored and kept in good health.
Diagnostics enable the system to enter a safe state if it notes discrepancy or anything out of the ordinary. One common method of doing so is extending the basic ‘on’ or ‘off’ to ‘high impedance’ and ‘low impedance’. Once implemented, this method monitors the state of both the latch position and the latch-monitoring sensors. Alternatively, by using two sensors to monitor the same input, you can cross-monitor both of them. This is a system with high diagnostic coverage.
3. Redundant Systems
Redundant systems are the most common and obvious choice in designing a safe system. Combined with MTBFd, this is an important step in decreasing the statistical likelihood of failure.
The logic is simple: if one safety measure can fail, two failing at the same time is far less likely. Therefore, doubling up is a logical precaution to take. We nearly always include redundant systems to support the lowest dangerous failure configurations (two out of two or ‘2oo2’ configuration). However, for systems that cannot be easily shut down mid-process or have critical measurement points, a third sensor can be added to ‘vote’ in a ‘2oo3’ configuration. 2oo3 configuration is more expensive but allows maintenance to take place while machines are actively running. There may be cases in which this configuration is highly desirable.
Diversity of design is another critical feature of fault tolerant systems. It manifests itself in many ways and is extremely useful in preventing common-cause failures. In creating diversified designs, the design team must decide where to physically position each mechanical component to maximize the safety of the design. Because one malfunction can cause the failure of multiple systems, design of safety systems requires the use of a variety of technologies and physical input mechanisms. For example, a safety restraint’s redundant locking mechanism uses two different diagnostic position sensors and two different locking technologies. Similar technologies may fail at the same time but diversity in technology reduces the likelihood of such mishaps.
5. Calculated and Regular maintenance
The final design parameter included in fault tolerant systems is the calculation of which and when maintenance should happen. Maintenance in a safe system must be both proactive and methodical. Parts are replaced based on their MTBF and the level of risk they present. They should be replaced in advance of their projected MTBFd. For example, if a part has a MTBFd of 10 years, the part may be completely replaced every three years, serviced every month and tested every day. Regular maintenance and documented systemic checking is mandatory in the operation of a safe system.
As functional safety engineers who’ve spent plenty of time designing roller coasters, sitting on amusement parks rides is no less frightening. After all, how do we know what the MTBF on this safety restraint is? How do we know if the part has been properly maintained? While there is an extensive amount of design that goes into these machines, there are a number of factors we can consider to reduce the likelihood of accidents in the future.
Dr Michael Wrinch is a Canadian Functional Safety Professional Engineer and President of Hedgehog Technologies whose expertise is in design of complex machines.
Matt Keeler is a Canadian systems design engineer at Hedgehog Technologies. He has years of experience developing fault tolerant safe systems.