Throttle pedal safety

[johu]

I was just in a call investigating a run-away condition on a Tesla motor. The car was stationary in the work shop and suddenly took off. Everybody is still alive. I want to address the underlying issue to prevent repetition.

Full investigation is pending but the issue is most likely caused by an intermittent loss of ground on the throttle pedal. So the likely event chain is
1. Start signal is hard wired to 12V
2. Throttle pedal sent a fully pressed signal preventing the car from entering drive mode
3. Throttle pedal then returned to normal allowing the car to enter drive mode
4. Subsequently throttle returned to fully pressed letting the car shoot off

Arguably you shouldn't leave your car ready to drive while not sitting in it but things that can happen will happen, hence why the inverter software has 4 safety measures to prevent this:
1. Throttle range check (not effective because potmax=4095 - read below)
2. Dual throttle input (not used in this case)
3. inhibit entering drive mode while pedal is pressed (not effective on intermittent fault)
4. lock out throttle when brake pedal is pressed (not effective if nobody sits in the car)

On many older logic board designs and that includes all Tesla boards, the throttle input is 0-3.3V. In contrast the throttle output of many typical automotive pedals is 0.8-4.2V. So it will max out the ADC and potmax must be set to 4095 to operate in such a setup. This disables the upper range check because 4095 is considered a valid pedal position and values greater 4095 are not physically possible.

To address this, a 10k resistor MUST be put in series with the pedal like so

This forms a voltage divider with the onboard pull down and results in a maximum valid throttle value of around 2000-3000 digits. With that configured the range check is active, will treat values > potmax+200 as invalid and cut out throttle/coast to standstill.

Addition: alternatively if you have a dual channel pot and only choose to use one, use the channel with the smaller 0.4 to 2.1V range

Then recalibrate your throttle setting.


While we do generally recommend using dual channel throttle wiring I also think it will not necessarily prevent the above just by itself. When both channels share a mutual ground they will both go fully pressed on loss of ground. Without a range check that is considered valid at least on one channel. Only completely separated ground wires will prevent a runaway.

On the software side I will limit potmax to 3500 in the next release and ship every new board with that limit to force people to implement the resistor mod.
On the hardware side all boards will receive the series resistor on board

Boards possibly affected:

• Tesla SDU
• Tesla LDU
• Nissan Leaf Gen2 with v3 brain board, i.e. not Mini Mainboard
• Prius Gen2
• All custom designs based on v3 brain board

Boards not affected:

• ZombieVerter
• Nissan Leaf Gen2 with Mini Mainboard
• Nissan Leaf Gen3
• BMW i3
• All Mini Mainboard based designs

Addition:
We also advise against permanently pulling the start input to 12V for a number of reasons:

• Immediate restart without user interaction after an over current fault
• No possibility to leave inverter in the safe stop mode after powerup
• Rather hard to save parameters as they are not written in run mode

[muehlpower]

The two pedals I have here each have a range from 0.8V to 4.2V and one with 0.4V to 2.1V. So the easiest thing would be to use the smaller range.

[johu]

Yes that's also a low barrier possibility

[janosch]

Without a range check that is considered valid at least on one channel.

I need to release my VCU code, as I have done this there, so people would get another example on how it can work.
I also check as many inputs as I can with 12V only before ever connecting a HV source.

I stumbled over the following mistake though when setting up my code:
I was taking the throttle resistor readings at face value in the VCU and translating them into CAN messages. Like, I got a reading, translated it and send it straight to the motor. This gave us a horrible vibration as I commanded 33% throttle, then 34%, then 33% again all in 10ms intervals. Turns out smoothing 5 or ten readings together is whats needed there.

[MattsAwesomeStuff]

Good writeup on the cause/consequence.

This is going to create a lot of troubleshooting problems in the future, or an intimidatingly-long "how to set up your throttle" instruction.

... why pick 3500? Why not 3300? Why not 3700? Why's 3500 the right spot?

...

One thing I still haven't wrapped my head around, (maybe this isn't relevant anymore?), when you set your throttle boundaries in software inside of its limits, doesn't that create a situation where throttle will dangerously spike?

I.E. Throttle goes from 150-3800. So you set up 50-unit bumpers on either side. So you set your throttle range in OI to 200-3750. As far as I understand, that's correct procedure.

On the low end I think I understand. Anything below 200 becomes zero. 175? Zero. That's fine.

But what happens when you are pushing the pedal to, say, 3775? Since it's above the 3750 bumper threshold, the software should interpret that as... what? Zero? Off? Because it's out of range? So you were at 3500, you push the pedal further, further, further, then when you cross over 3750 you stop accelerating even though you're pushing it to 3775. So the driver only notices this after a few seconds, but let's say he notices only after his speed drops to almost a stop. He slowly takes his foot off the accelerator. The second the accelerator drops below 3750, say, 3700... OI takes the throttle from zero to about 99% and the car unexpectedly slams forward at full acceleration?

Is that correct?

...

Using a momentary start vs. latched start makes a lot more sense now too. Though is that "start" as in, what normally cranks the starter motor, or is that ignition on?

Is there a reason not to force a momentary start universally? Why even allow a latched start?

[johu]

There is a 200 digit headroom above potmax. So anything above potmax will be interpreted as potmax. Once you cross potmax+200 throttle immediately returns to 0 because we assume that there is a wire break and the throttle value does not reflect the drivers command anymore.

That sort of points to "why 3500?". We need to be at least 200 digits away from 4095 which would be 3895. Now a loss of ground doesn't necessarily mean it jumps to 4095 because of the 10k pull-down. So lets move further away. 3500. Slightly arbitrary but spent some thought on it.

If the fault happens to be intermittent it will bounce around, yes. If it somehow fixes itself at least you gain control of your vehicle again. Hence why I don't just fully shut down on out of range errors. If you decide the vehicle is not drivable anymore you put it in neutral and coast onto the shoulder.

Yes "start" is what cranks the starter.
Making the start signal edge trigger might make sense in many ways. Will piss a few people off who set it up latching

[Aragorn]

Dual Throttle pots should be mandatory IMO. OEM applications deliberately use two different ranges on their pots, to help detect strange occurances like broken wires where the input might start floating around.

Some have inverted, some have a different range. But the ECU compares the two signals and if they dont line up the throttle is closed.

[peterdiffey]

Ooh,
I would be very surprised if tesla software is not fail safe, dual pot pedals have been around for best part of 20 years. I think this is probably anti EV bs.

I had assumed that OpenInverter was built around using a dual pot pedal, the Web UI is configurable for dual pots, The Web UI also shows the current values for both pots. However, just looking at throttle.cpp from the zombieverter 2.17, it only has a single throttle variable, I may be missing something!

Before deciding to use the Damien box, I started work on doing it using the Hobbytronics arduino, averaging the value of the last 5 average pot readings as writer Janosh suggests, although I am not sure that the jitter in throttle value would be noticable to the driver.

I would expect the VCU to average the two pot values and expect the result to be within a set range - ie less than 4095. As the two pot values are usually configured to have a ratio of about 3:2, you should never have anything like 4095 in normal use.

Ref writer Aragorn post: The whole point of having different values returned by both throttles is exactly to determine lost earth. If both pots lose earth, they both will read 5v or whatever their supply voltage, and the VCU be configured to shut down.

[peterdiffey]

actually looking closer at throttle.cpp, it already averages the last 50 pot values

Code: Select all

float Throttle::AveragePos(float Pos)
{
    PedalPosIdx++; //next average arrray positon
    if(PedalPosIdx >= PedalPosArrLen)
    {
        PedalPosIdx = 0;
    }
    PedalPosTot -= PedalPosArr[PedalPosIdx];
    PedalPosTot += Pos;
    PedalPosArr[PedalPosIdx] = Pos;

    return PedalPosTot/PedalPosArrLen;
}

PedalPoosArrLen = 50

a simple one line solution to solve the problem is to modify the last line:-

return ((float)(((int)(PedalPosTot/PedalPosArrLen))%4000));

so if the pedal loses eth, it returns 95 rather than 4095

[MattsAwesomeStuff]

There is a 200 digit headroom above potmax. So anything above potmax will be interpreted as potmax. Once you cross potmax+200 throttle immediately returns to 0 because we assume that there is a wire break and the throttle value does not reflect the drivers command anymore.

Ahh. This is the piece I was missing. I thought it just immediately errored out and cut throttle. Okay, that makes sense.

[EVS2K]

Came over from a link on my post about first spin up of a Tesla SDU.

You mention Dual Throttle channels. The pedal I am using is the Bosch one from the MG ZS EV. It is dual channel. Anyone know if the second channel is 0.4 to 2.1V? I will of course check but wondering if anyone knows?

[EVS2K]

Gotta love answering your own questions. Yes, the resistance on channel 2 is higher hence the voltage range lower.

[alexbeatle]

Thank you for the write up. This is tragic, but a good lesson learnt. Good thing nobody got hurt.

...
4. lock out throttle when brake pedal is pressed (not effective if nobody sits in the car)
...

Perhaps the parking brake signal should also be tied to the brake input of the oi board?

...
On many older logic board designs and that includes all Tesla boards, the throttle input is 0-3.3V. In contrast the throttle output of many typical automotive pedals is 0.8-4.2V.
...

A bit confused on this point. If one follows the schematic (in my case SDU), the pedal (single or dual channel) are powered from the oi board. Are you talking about an instance when folks power the accel pedals from the external power supplies, not the oi boards? Else how can pedal output be higher than power supply.

...
There is a 200 digit headroom above potmax. So anything above potmax will be interpreted as potmax. Once you cross potmax+200 throttle immediately returns to 0 because we assume that there is a wire break and the throttle value does not reflect the drivers command anymore.
...

Just checked the release. So the potmin should also be at least +200 points from the value when fully released?

[Proton]

A bit confused on this point. If one follows the schematic (in my case SDU), the pedal (single or dual channel) are powered from the oi board. Are you talking about an instance when folks power the accel pedals from the external power supplies, not the oi boards? Else how can pedal output be higher than power supply.

I have the same questions.

[muehlpower]

The board supplies 5V. So a pedal can deliver up to 5V signal. The CPU can only process up to 3.3V.

[P.S.Mangelsdorf]

I'm just getting around to looking at implementing this. I've got a dual channel pedal so I should be able to add that, but looking at the Tesla LDU wiring, there's only 1 pin labeled for accelerator input. Am I correct in assuming the brake pressure signal pin (pin 14 on the 23 pin connector) is actually the other potentiometer pin?

[johu]

Am I correct in assuming the brake pressure signal pin (pin 14 on the 23 pin connector) is actually the other potentiometer pin?

yes