Tesla SDU+OI - how to shut down safely?

[elShankos]

Hi All,

I have a Tesla rear SDU and OI setup where I am aiming to control the contactors via the inverter as per the OI setup wiring diagram - I'm at the point where I have the board swopped over and am rigging up my bench test arrangement. So I am wondering how others have done this setup and specifically how they have received a signal from their BMS to stop the inverter and open the main contactor? I.e. when there is an over-current, undervoltage, high temperature etc condition that the BMS detects and wants to shut down and disconnect HV to protect the battery.
Are folks doing this via CAN? Or a hard wired 12V signal for example (this would be best for me)? I'm wondering if interrupting the drive/reverse signal on pins 5 and 12 would be an option?

Would be great to hear some views on how others are doing this or any links to threads on this topic.

[arber333]

Hi All,

I have a Tesla rear SDU and OI setup where I am aiming to control the contactors via the inverter as per the OI setup wiring diagram - I'm at the point where I have the board swopped over and am rigging up my bench test arrangement. So I am wondering how others have done this setup and specifically how they have received a signal from their BMS stop the inverter and open the main contactor? I.e. when there is an over-current, undervoltage, high temperature etc condition that the BMS detects and wants to shut down and disconnect HV to protect the battery.
Are folks doing this via CAN? Or a hard wired 12V signal for example (this would be best for me)? I'm wondering if interrupting the drive/reverse signal on pins 5 and 12 would be an option?
image.png

Would be great to hear some views on how others are doing this or any links to threads on this topic.

Never NEVER allow inverter or other VCUs to DISCONNECT your DC contactors at its whim! You setup DC link in such a way that inverter can control contactors innitially, but when on they can be turned off ONLY by removing 12V from them (turn ignition key). That is called latching relay circuit.
You provide 12V and GND to your relay from inverter side. Then you wire its contacts so it can power itself from available 12V in case of NC contact. Then use another source of 12V (starting pulse) to supply momentary signal to turn relay ON. It will latch then and only release when you remove 12V from the first contact via key. I really need to find my drawing... .

I convinced TUV inspector in my circuit when i showed him that i can allways disconneect 12V when i turn off the ignition key. In case of inverter fault you can still mechanicaly brake the car and remove the key to sever the DC link.
Notaus button is there only to disable PWM generation inside inverter not to disconnect DC link in emergency!
I use notaus button (and BMS wired to it) to disable car while charging and if i manually trigger it. Since i use Lebowski brain i simply use Notaus to pull dsPic30 brain to GND into reset. But you can use notaus to trigger Mprot pin or BMS pin. Or if you want to be elaborate you can open both FW /REV pins which would also stop PWM generation as i recall.

Job of a fuse is to disconnect DC link in emergency. I use as much fuses as i have battery boxes. That way each box output can be interrupted in case of a short. Ie: if there would be a battery fire temperature would quickly reach 400degC and cables would melt/weld to casing causing a short. If you would then have multiple fuses throughout your pack they would burn out and protect the rest of the pack.

[muehlpower]

I use a PWM signal to pull the accelerator or brake pedal more or less to zero. With this I prevent over and under voltage of the battery, as well as blocking or spinning of the rear axle.

[mjc506]

Imho...

It depends on your definition of 'safe'.

Opening the contactors while moving will kill the inverter. But could protect the battery from overvoltage/overcurrent/etc. So allowing the BMS to open the contactors will likely kill your inverter in the event of a problem, but may better protect your battery, hopefully avoiding a fire. 'Safe'

On the other hand, leaving contactor control to the inverter controller will protect the inverter, and the inverter controller should respect messages from the BMS, limiting currents and voltages. It would take a remarkable series of malfunctions for the inverter to demand excessive current and ignore the BMS screaming to slow down! 'Safe'...

Another option would be to let the BMS open contactors, but set it's thresholds quite 'relaxed', and have the inverter try to limit voltages and currents more strictly - the inverter to try to keep the battery and BMS well within its' 'happy' range, but the BMS could still take over and try to protect the battery in the even of a serious problem.

But... considering overall risk... The likelyhood of a battery fire due to transient over-voltage or over-current while driving is actually very low (total energies will be low, and thermal mass is quite high). Excessive temperature is a problem, but much slower, so assuming good monitoring of the pack should be relatively easy to spot a problem before it becomes an actual issue. Battery safety while charging is a different issue - the car will be left unattended with current (energy) being fed into it. But the car will be sat still (hopefully!) so the BMS opening the contactors shouldn't upset anything (the charger should happily error out). Again, setting the limits on the charger more conservative than the BMS 'error' conditions should be kinder on the system.

Note, if you've got an induction motor, turning off the inverter (or killing it) while moving is usually relatively benign - magnetic field disappears, so the motor turns into a lump of spinning iron, and the driver retains control while the vehicle coasts to a halt. With a permanent magnet motor, stopping the inverter can essentially short the three motor phases resulting in very high uncontrollable regen. This could be a problem at speed... 'Safe'? (I think the SDU is induction, so not a problem in your case) (See below)

[arber333]

....
Note, if you've got an induction motor, turning off the inverter (or killing it) while moving is relatively benign - magnetic field disappears, so the motor turns into a lump of spinning iron, and the driver retains control while the vehicle coasts to a halt. With a permanent magnet motor, stopping the inverter can essentially short the three motor phases resulting in very high uncontrollable regen. This could be a problem at speed... 'Safe'? (I think the SDU is induction, so not a problem in your case)

I beg to differ here. As i thought the same in the past ACIM motor should be nonreactive if you remove its source of excitation. I tested this in my Mazda with ACIM motor, it is solid.
Aaand for some reason or other this is not true for Tesla LDU and SDU inverters. They will happily burn if you remove DC link. Must be that their spike margin is way lower than those bulky IGBTs other OEM use.
SO in case of LDU and SDU beware to latch your contactors!

[mjc506]

Ah, good to know! Perhaps some residual magnetism, or a funky HV design. Or perhaps I'm just too used to Toyota inverters

[elShankos]

I use a PWM signal to pull the accelerator or brake pedal more or less to zero. With this I prevent over and under voltage of the battery, as well as blocking or spinning of the rear axle.

Thanks for this - I think this is a really good idea and I recon I can do this with an available signal from the BMS. What about regen though? While slowing down to stop the car wouldn't you possibly still have regen pushing power back into the batteries before you can come to a full stop and switch off the ignition? Maybe this wouldn't really be an issue but worth asking.

[elShankos]

Never NEVER allow inverter or other VCUs to DISCONNECT your DC contactors at its whim! You setup DC link in such a way that inverter can control contactors innitially, but when on they can be turned off ONLY by removing 12V from them (turn ignition key). That is called latching relay circuit.
You provide 12V and GND to your relay from inverter side. Then you wire its contacts so it can power itself from available 12V in case of NC contact. Then use another source of 12V (starting pulse) to supply momentary signal to turn relay ON. It will latch then and only release when you remove 12V from the first contact via key. I really need to find my drawing... .

I convinced TUV inspector in my circuit when i showed him that i can allways disconneect 12V when i turn off the ignition key. In case of inverter fault you can still mechanicaly brake the car and remove the key to sever the DC link.
Notaus button is there only to disable PWM generation inside inverter not to disconnect DC link in emergency!
I use notaus button (and BMS wired to it) to disable car while charging and if i manually trigger it. Since i use Lebowski brain i simply use Notaus to pull dsPic30 brain to GND into reset. But you can use notaus to trigger Mprot pin or BMS pin. Or if you want to be elaborate you can open both FW /REV pins which would also stop PWM generation as i recall.

Job of a fuse is to disconnect DC link in emergency. I use as much fuses as i have battery boxes. That way each box output can be interrupted in case of a short. Ie: if there would be a battery fire temperature would quickly reach 400degC and cables would melt/weld to casing causing a short. If you would then have multiple fuses throughout your pack they would burn out and protect the rest of the pack.

Thanks a lot for this reply arber - I will make sure to add the latching component to the the signal from the inverter to close the main +ve HV contactor - as per B in my pretty rough diagram (sorry its a bit small and still messy!) below:

That's a really good point and thanks for explaining it.
At point A I was thinking to link in a relay to open when the BMS is not happy to discharge - so then if there was a problem (from BMS) while driving, it could open that relay and then drive and reverse would be lost - this wouldn't cause a problem for the inverter would it?

Can I also ask: do you use a main -ve HV contactor as well? I would like to for extra safety but I'm not sure how to implement it while controlling the contactors from the SDU inverter - so I wonder what others have done in this regard?

[arber333]

Hmmm... -HV contactor should be
1. Closed when precharge pin is on
2. Closed when main contactor pin is ON the same as +HV contactor.

I think you can solve this with another relay and connect it in a way -HV is on with precharge as well as main contactor.

Personaly i just use 500A fuse on -HV side. I see no benefit in another contactor.

[muehlpower]

I simply switch the HV- contactor on with the 12V power. To avoid unintentionally opening I use Gigavac GV240 with auxiliary contacts that bridge GND to signal. The only way to disconnect the battery when driving is to turn off the ignition.

On the 12V side I distinguish three types of devices.
1. Has power when charging
2. Has power when driving (igniton on)
3. Has power when charging and/or driving.
The HV contactor in the battery box, DC-DC, BMS and cooling system belongs to group 3.
Drive Unit, power steering, bakebooster etc is group 2.
Charger and charging controler, BMW LIM are group 1.

No charging or driving means no 12V to any devices, exept Clock, parking light ,hazard light and indoor light.
(its an old car, no security system, keyless entry etc.)