Safety ideas for control board and firmware

[electric_vehicle_lover]

I really hate when I see reports on the forum about face plants after fails of EUCs of the most well know brands like Ninebot, Gotway, etc, including the generics EUCs. This makes me want to stop using my EUC and not recommend to no one. And because I understand that are many possibilities for failing, like any of the many electronic components, cables, firmware bug or batteries.

Anyone have ideas how other products like maybe cars or planes deal with the potential fails?? - since I am being working on firmware and control boards, I would like to know what are the ways to improve this situation.

Could we have a double control board, one master that runs and other that just look at the other and in case of a fail of the first, starts run?? -- just like battery packs, having 2 in parallel, if one fail the second one may keep holding EUC running.

 

[The Fat Unicyclist]

1 minute ago, electric_vehicle_lover said:

Could we have a double control board, one master that runs and other that just look at the other and in case of a fail of the first, starts run?? -- just like battery packs, having 2 in parallel, if one fail the second one may keep holding EUC running.

I like that - two smaller units entirely separate, but sharing the work. So failure of one would mean a sudden power loss, but potentially NOT a face plant (depending on how hard the unit was being pushed).

Don't planes have multiple engines for the same reason? 

[Hunka Hunka Burning Love]

I wouldn't mind seeing more redundant hall effect sensors.  They are pretty cheap components,  but if one fails the wheel gets the jitters.  I'm not sure how it would be all wired up, but if there were like a bunch of them all around the wheel it wouldn't matter as much if one or two failed.  It would be cool if the controller could sense that and bypass the faults.  Kinda like how Ironman's Jarvis reroutes critical systems!  

Also smarter auto shutdowns would be nice to avoid those flailing wheel situations.   Too bad there isn't like some sort of weight sensor on the axle to detect "loss of rider" situations.  I know there are such sensors (strain gauge) to measure loads like on measuring scales.  Of course the firmware would need a reasonable delay to avoid shutdowns jumping off curbs or people doing stunts.  Maybe an app toggle to adjust the delay would be nice.

Maybe redundant controllers would be nice, but perhaps failsafe sets of MOSFETs or better cooling solutions would improve matters.

Also better current monitoring might be in order to avoid frying control boards like @EUC Extreme posting in his video of that Msuper rolling over a branch.  Or when other people report getting stuck under a bench or up against a wall.

[electric_vehicle_lover]

Hall sensors signals aren't used at high speeds, only at zero and very low speeds - at least technical is possible like that and should be. So no big risk about the hall sensors IMO.

[Hunka Hunka Burning Love]

Crash logging.  It would be nice to have the controller record unusual events (cutoff, unexpected shutdown, over current, etc) in the event of a crash.  The Ninebot One has a tap sensor that the app uses to allow the user to scroll through light latterns for the LED's.  Maybe in a crash if that sensor is triggered the last few minutes of data could be recorded to NVRAM so the rider has clues as to what occurred.  

It's kinda like how those shark videographers have a buffer on their camera.  They record everything in a self-over-writing loop, but if something exciting happens they press the button and the last five minutes are captured to the memory card or hard drive.

[Rehab1]

1 hour ago, The Fat Unicyclist said:

I like that - two smaller units entirely separate, but sharing the work. So failure of one would mean a sudden power loss, but potentially NOT a face plant (depending on how hard the unit was being pushed).

Don't planes have multiple engines for the same reason? 

Redundancy of electromechanical systems for any powered conveyance will always reduce the chances of failure. If EUC manufacturers were convinced their customer base would pay handsomely for such a wheel while still recouping their initial R&D investment then the idea would eventually come to fruition. Until then we need to remain prudent and ride within the safety/ power curves along with wearing protective gear.

 

[Rehab1]

1 hour ago, electric_vehicle_lover said:

 

Hall sensors signals aren't used at high speeds, only at zero and very low speeds - at least technical is possible like that and should be

 

The controller depends on the hall sensors to distribute power, so the whole system begins to fail with the loss of even one of them. Granted it would not be a catastrophic failure resulting in a faceplant but the rotation would become jerky along with diminished torque.

[lizardmech]

You can have dual windings with two controllers or interleaved 6 phase motors. I'm not sure it has much value on an EUC I'm skeptical it would be able to stay upright with a partial failure. The easiest gains are probably in controller design, higher switching speed + more low ESR capacitors reduces possibility of voltage overshoot and mosfet destruction. Benjamin Vedder made an LTspice simulation for selecting capacitors. Suppressing voltage ripple required much more capacitance than most EUC boards have even when I was using 20khz and 40khz PWM. https://github.com/vedderb/svm_sim

High performance current sense goes a long way, less accurate or slower sensors can lead to the controller blowing up before the MCU detects current changes. All the xt60 connectors need to be removed anything removable has to use screw connections and wires need to be dramatically thicker. Board durability probably needs work as well, compact SMD components handle vibrations and impact much better than heavy through hole parts. For best reliability you can use ceramic boards with resistors and smaller capacitors printed on it, they don't have thermal expansion issues like conventional PCB, the ceramic has high thermal conductivity, usually you put them in a case and fill it with silicon with the underside of the board attached to a heatsink.

[Carlos E Rodriguez]

1 hour ago, lizardmech said:

You can have dual windings with two controllers or interleaved 6 phase motors. I'm not sure it has much value on an EUC I'm skeptical it would be able to stay upright with a partial failure. The easiest gains are probably in controller design, higher switching speed + more low ESR capacitors reduces possibility of voltage overshoot and mosfet destruction. Benjamin Vedder made an LTspice simulation for selecting capacitors. Suppressing voltage ripple required much more capacitance than most EUC boards have even when I was using 20khz and 40khz PWM. https://github.com/vedderb/svm_sim

High performance current sense goes a long way, less accurate or slower sensors can lead to the controller blowing up before the MCU detects current changes. All the xt60 connectors need to be removed anything removable has to use screw connections and wires need to be dramatically thicker. Board durability probably needs work as well, compact SMD components handle vibrations and impact much better than heavy through hole parts. For best reliability you can use ceramic boards with resistors and smaller capacitors printed on it, they don't have thermal expansion issues like conventional PCB, the ceramic has high thermal conductivity, usually you put them in a case and fill it with silicon with the underside of the board attached to a heatsink.

Nice recommendation. But any avionics or aerospace is triple redundant. Double is shit. The good one tells the bad one you are bad, then the bad one tells the good one you are bad. So to make it work you need a third one to break the tie. 

The main failure mode is software. It let's speed to get too high and shuts down hard. It let's too much current and bums shuts down. It let's to much powe and MOSFET blow up. It's just a minimal design. So put proper wires, put intelligent  computer checks and limits. This will eliminate most of the problems. 

Oh I forget only allow competent people solder. Only allow competent people put the left washers on the left side. Only let people make proper castings for pedals. Stop putting caulk on everything. Stop using hot glue. 

[esaj]

The problem I'd see with dual controllers (even with dual-winding in the motor) is that if the other controller blows a half-bridge, it will keep braking the motor until it's completely disconnected, meaning that there would need to be some sort of (very heavy duty) relay or such, so that the secondary controller could completely disconnect the motor from the failed controller. Whether it could do this fast enough to keep the wheel turning and not braking causing a faceplant, I don't know... (mechanical) relays usually can't handle very high currents, and the contactors might vibrate with the wheel, causing them to open and close very rapidly, which creates its own problems.

I don't know about the systems in cars that much, but I do know this: modern car firmwares are the largest software written measured in code lines... ever.

I'd at least like to think it's due to complex monitoring and redundancy built into the systems  Of course that probably includes a lot of other stuff in the car too, like entertainment systems and such.

For electronics parts, most datasheets list multiple variants of the same component, usually at least a commercial- and industrial/automotive-grade parts, possibly also aerospace/military-grade or medical-grade (might have to do with the interference the component causes?). For most things it seems that the only effect is wider temperature range the component can work with, but depending on the component, other properties of the component may also be affected (of course the "higher" grade parts are always better), like industrial-grade memory chips that have much higher rewrite endurance and possibly maximum speed/frequencies. The price difference between commercial and automotive, or especially commercial and military-grade can be very large (multiples).

[Rehab1]

Researching the high temperature issues of Mosfets leading to failure the example below taken by a FLIR thermal camera shows a board that uses 4 parallel power MOSFETs. The photo demonstrates that the total current flowing through the Mosfets is continuous and as shown it is poorly distributed between them. This is caused by the position of the pins on the board. Because of high resistance path in the current flow, the first Mosfet on the left, glowing red, is forced to manage most of the current, which results in a higher temperature increase than the others.

 

As you can see the parallel Mosfet layout is inadequate because the first Mosfet bears the brunt of an increase in the total current, perhaps cascading down the line to the other devices. 

The use of power MOSFETs in parallel is necessary in applications that manage high power loads, because the total current can be shared between many devices and maintain a uniform working temperature.

A good device paralleling can be obtained if the following conditions are well satisfied:

- Devices with similar parameters
- Asymmetric Driving (different turning on and off driving)
- Symmetrical board layout
- Good thermal coupling by same heat sink
- Low parasitic oscillations