Safety vs. reliability

[OliverH]

Some time ago I started a thread on Safety:

In most threads the sentence safe/ safer/ safety is often misinterpreted.

Reliability - to work as designed, works every time if the system has no malfunction
Safety - A malfunction will be detected and the system reacts (behaviour handling) to keep the system in a failsafe state and prevent the unsafe state.

In some functions you can see minor (safety) routines in more modern firmwares: Overheat detection results in beeping/ tilt back, overcharging results in beeping/ tilt back. To become a real safe firmware/ control system we see some time to pass by.

[Hunka Hunka Burning Love]

It would be nice to help troubleshoot if these EUC's had some sort of display or light flash sequence to inform the user of any detected errors.  I know some will say "Overpower" and others will beep, but say if you had for example a dying cell in a pack there could be some error code shown that would make repairs easier maybe or at least help point you in the right direction.  With cars, you have OBDII, but with these EUC's it's a little bit of a guessing game.  It probably would be quite complicated to expect it to tell you "MOSFET 3 is out of spec" or "Hall Sensor communication error" etc.

I guess it would up the cost to have the control board/BMS engineered to report on problems, but it might be worth it as a future design feature?  Then again in a world of disposable TV's where you don't even bother replacing the board for these little control boards probably only electronics enthusiasts would want to try troubleshooting them.  Most people would just swap them out. 

[Mono]

2 hours ago, OliverH said:

Reliability - to work as designed, works every time if the system has no malfunction

According to this definition you call a system reliable even if it has a large probability to malfunction. That doesn't make much sense to me.

[OliverH]

6 minutes ago, Niko said:

According to this definition you call a system reliable even if it has a large probability to malfunction. That doesn't make much sense to me.

Not malfunction by default. But if an error occurs there is no safe state depending on the behaviour. 

[Mono]

On 6/4/2016 at 7:14 PM, OliverH said:

Not malfunction by default. But if an error occurs there is no safe state depending on the behaviour. 

If an error occurs it means that the system was not functioning reliably, so it is an reliability issue, unless you equate an accident with an error. In any case, it seems I don't understand what you mean by an error.

EDIT: OK, I can understand that a system can be by design unsafe, in which case it could be reliable and unsafe.

[OliverH]

1 hour ago, Niko said:

If an error occurs it means that the system was not functioning reliably, so it is an reliability issue, unless you equate an accident with an error. In any case, it seems I don't understand what you mean by an error.

EDIT: OK, I can understand that a system can be by design unsafe, in which case it could be reliable and still unsafe.

I need to explain it with a graphic. 

If you ride your EUC in a working condition it's "safe" if it's reliable.

if an error occurs your EU will fail and you'll do a faceplant.

In case of a (today theoretical) safe EUC the system would detect the fail and take action (brake, stop, redundancy fail over, reduce speed,..) to keep the vehicle in a fail state (emergency brake, fail over,..).

Unsafe is the area you like to prevent. The EUC would fail and you can hurt yourself.

 

A reliable EUC can handle behaviours (high temp, reaching current thresholds (overpower)) and can take action (notify, tilt back. But a fail of a component will switch from "safe" to unsafe as there's no fail state mode. 

[Mono]

1 hour ago, OliverH said:

But a fail of a component will switch from "safe" to unsafe as there's no fail state mode. 

A fail of a component is clearly a reliability issue that causes a safety issue. To make the device safer the best strategy would be to make the failed component more reliable (address the cause). Only the second best strategy would be to implement a fallback for the component failure. In the end it is a question of cost per prevented failure. Is it cheaper to fit a more reliable component or to install a fallback. Whichever is cheaper will be the solution to address the safety issue. (Fitting a better component could have other benefits though). For this reason I still don't see this clear distinction between reliability and safety.

[Mono]

7 hours ago, HunkaHunkaBurningLove said:

Then again in a world of disposable TV's where you don't even bother replacing the board for these little control boards probably only electronics enthusiasts would want to try troubleshooting them.  Most people would just swap them out.

The (big) challenge in the EUC case is that we want to swap them out before they fail.

[OliverH]

8 hours ago, Niko said:

A fail of a component is clearly a reliability issue that causes a safety issue. To make the device safer the best strategy would be to make the failed component more reliable (address the cause). Only the second best strategy would be to implement a fallback for the component failure. In the end it is a question of cost per prevented failure. Is it cheaper to fit a more reliable component or to install a fallback. Whichever is cheaper will be the solution to address the safety issue. (Fitting a better component could have other benefits though). For this reason I still don't see this clear distinction between reliability and safety.

The difference is to have a fail state mode and that you made a safety assessment and risk analysis. You build your product in a safe manner by designing the product. If you follow ISO 26262 (Automotive safety) you'll find in the analysis that you need an ASIL 3/4 system. I'm choosing ISO 26262 over IEC 61508 as it's the safety machinery specific version for vehicles. Today's EUC are definetly not ASIL 3/4. So they're not safe. 

Today's EUC are reliable when all components work as defined.

Take some use cases:

1) Battery/ harness failure of one battery pack (Single pack battery packs will be no option any more in the future)

2) MOSFET failure

3) winding short 

4) hall sensor failure

5) power source failure to the control system(s) (also with a multi pack batteries only one plug is on the main board)

6) gyro failure in general/ wrong values

In Switzerland they like to see at least case 1), 2)/ 3), 5), 6) An EUC fulfilling this test scenarios has a chance to pass the test and get approval. 

Firewheel was the first with clear messages to the user on bad behaviours/ self diagnostic with fault messages, Kingsong followed now in partly with the KS16. A beep without clear reason is not helpful.

in the driving tests they like to check behaviour handling (overcharge (they like to go downhill with a fully charged battery for around 6-7 km), temperature control (normal driving and going uphill the overcharge test track), balancing,..) and that the product is reliable.

Than it's a safe and reliable product allowed for street legal use. No current available EUC has the chance to even start the homologation process to get the approval - sad but true.

[Mono]

Do you argue that the standards for automobiles should be applied to EUCs? Don't you think the standards should depend in particular on how fast a vehicle can go and how powerful and heavy it is?

[Hunka Hunka Burning Love]

I wonder if it would be possible to design the control board to have an extra set of MOSFETS and a spare gyro chip which in the event of primary failure the circuit would switch to the backup set while alerting the rider to "service EUC soon."  If the primary components were modular and on daughter boards they could be swapped out rather than needing to replace the entire control board. 

[dmethvin]

16 hours ago, HunkaHunkaBurningLove said:

I wonder if it would be possible to design the control board to have an extra set of MOSFETS and a spare gyro chip which in the event of primary failure the circuit would switch to the backup set while alerting the rider to "service EUC soon."  If the primary components were modular and on daughter boards they could be swapped out rather than needing to replace the entire control board. 

One of the failure modes for the MOSFETs is that they short out, so a parallel set would not help for that case. If they failed open you might have a chance. There would need to be some sort of reliable feedback circuit to know when the main MOSFETs were not working correctly, I'm not sure how easy that is to do. If the MOSFETs failed because the motor was jammed or stalled the backups would do the same almost immediately, but in that case you're not on top of the EUC so it's not a safety thing.

The main concern I would have with daughter boards is a bunch of extra mechanical connectors that can shake loose. 

[Hunka Hunka Burning Love]

I wish I knew more about electronics to be able to find out whether there is some way to incorporate a backup set of MOSFETs in the case of failure.  With the IPS control boards with 12 MOSFETs, are there less chances of problems?

I think it was @Polpus who was amazingly able to mod his EUC by desoldering the mosfets off the mainboard. and transplanting them to a heatsink in the battery compartment.  Maybe doing something similar with wiring and silicone secured connectors could keep the MOSFETs in a cooler location rather than being tied to the control board.  There's already wiring coming from the motor so one more connector might not be an issue.  Also, a heat sensor at the MOSFET area could warn the control board to issue overheat beeps or messages.  Perhaps keeping the MOSFETs cool might reduce a large percentage of the problems out there by allowing them to be placed along with their heatsink in a more advantageous location.

@Polpus, how is your MOSFET relocation program working out for you?

[Jurgen]

Redundancy can help a lot, together with a quick self-check routine every time the wheels is powered on, and a thorough self-check during charging including the batt status and performance.

Why not use 2 control 'boards (A &B), each time the wheels is powered on it switches control board; if potential overheating or any other minor problem is detected (on board A), the wheel alarm sounds and it goes to safe mode. When you then switch it off and back on, you're good to go running with the other control board (board B).

Double battery packs with double connectors for each board is also an easy fix.

So we're looking at a cost of an extra control board (100-200 USD?), some extra connectors (a good wheel already has a double batt pack) maybe 10 USD, and a more intelligent design (no clue how much  this would cost, this is probably the most expensive).

[OliverH]

2 minutes ago, Jurgen said:

Redundancy can help a lot, together with a quick self-check routine every time the wheels is powered on, and a thorough self-check during charging including the batt status and performance.

Why not use 2 control 'boards (A &B), each time the wheels is powered on it switches control board; if potential overheating or any other minor problem is detected (on board A), the wheel alarm sounds and it goes to safe mode. When you then switch it off and back on, you're good to go running with the other control board (board B).

Double battery packs with double connectors for each board is also an easy fix.

So we're looking at a cost of an extra control board (100-200 USD?), some extra connectors (a good wheel already has a double batt pack) maybe 10 USD, and a more intelligent design (no clue how much  this would cost, this is probably the most expensive).

But you need a fail over control with redundancy. That could be a solution to get a SIL3 or ASIL C/D ranked system. A safe control system would look different to today's control boards.

[Polpus]

@HunkaHunkaBurningLove after my modification I report no issue with my generic euc. I must admit I 've done the mod cause it's a cheap version and the energy of motor is low (350 w) , anyway I am happy with the results !