Emergency Stop Wiring

[Joxson]

Hello Everyone!

I have been searching around but cant find anything so I will ask.
As per law here in Sweden you have to have a emergency stop button inside of the car. As I know you can blow the inverter if pulling the contactors while driving. So that is a big "NO". My other thought was to put it so it turns of the forward and reverse inputs so it basically just put the car in neutral and you cant drive until you reset the emergency stop. But that feels like cheating, I would like to switch off the contactors without anything breaking.

So, what if I put the ignition thru the emergency stop so if I push the emergency stop the ignition shuts of. Is that safe? Does the controller has some kind of safe "turn off"?

What would you do?

[Ctwidle]

Hi Joachim, I’m in the same situation and in the absence of a more enlightened contribution, and after reading responses from Arber and Johu to a similar question, I plan to put the “Oh crap” button in the 12v feed to the DNR switch where I believe it will effectively put the car into neutral. Whereas the “inertia switch” (recommended by the Australia code of practice) will cut the power supply to the ignition circuit with the potential of damage to some inverters.
The attachment is from the Australian National Code Of Practice 14.
I’m no authority and welcome more informed responses.
Chris

[Zieg]

Would putting it in neutral stop you if you find yourself in an unintended acceleration situation? We've seen that happen before, be it from unintended regen or who knows what else.

In the industrial world, an emergency stop priotitises human safety over machine safety, and in certain cases an e-stop will damage equipment. With that philosophy in mind, I do plan to use my e-stop to kill both contactors. Only for use in a true "OH SHIT" situation - but I'd rather blow my inverter than launch into traffic or something.

[johu]

In sine firmware yes, in FOC firmware, no. Guess which variant has higher probability of run-away
If available the emcystop input of the logic board is a good choice as it instantly kills PWM.

I've never dared turning the ignition off in a run-away condition but it is potentially nicer to hardware as it stops PWM and contactors.

[Ctwidle]

Tom, in his latest VCU, puts the inertia switch in the HVIL loop but I don’t know how the VCU handles that input.

[arber333]

Hello Everyone!

I have been searching around but cant find anything so I will ask.
As per law here in Sweden you have to have a emergency stop button inside of the car. As I know you can blow the inverter if pulling the contactors while driving. So that is a big "NO". My other thought was to put it so it turns of the forward and reverse inputs so it basically just put the car in neutral and you cant drive until you reset the emergency stop. But that feels like cheating, I would like to switch off the contactors without anything breaking.

So, what if I put the ignition thru the emergency stop so if I push the emergency stop the ignition shuts of. Is that safe? Does the controller has some kind of safe "turn off"?

What would you do?

Well if you consider what effect you want to achieve with the mechanism...
1. EMGC button (Notaus) is meant to secure equipment OFF from operating with presumption that you can reengage the equipment ON after the causing event passed.

2. "Fuel cut switch" or overturning switch is meant to cut the energy (fuel) supply in event of accident where you dont particulary think of reusing the car but rather limit the damage already done by accident so as not to spread more fuel into the localised fire or cut the power so as not to cause short somewhere where there is no fuse safety i.e. the metal chassis path.

I actually did talk to inspector and reason with them in the similar way at TUV for my Pug. Tell them you have two safeties in effect; one to be able to stop the car effectively and the other in the case of damage.
Another argument is: Two safeties increase robustness as there is no expected single failure to cross both safties.

[EV_Builder]

Well to elaborate a bit on this. In situ one it's not about "off".
It's about a "safe state". For example weights should still be kept in the air and movements should be actively decelerated.

Also certain parts of the machine should be moveable seperately still in order to be able to unlock doors and gain access for example.

So my point it's not simple off but a strategy can/should be behind it.

[arber333]

Well to elaborate a bit on this. In situ one it's not about "off".
It's about a "safe state". For example weights should still be kept in the air and movements should be actively decelerated.

Also certain parts of the machine should be moveable seperately still in order to be able to unlock doors and gain access for example.

So my point it's not simple off but a strategy can/should be behind it.

Well i suggest you carefully read the requirement and then you can make an argument on the case of this.
The way i understand Notaus requirement is to prevent the machine/vehicle from operating/driving. Then you can argue that simple neutral switch already achieves that requirement. I dont see any OEM car with red button built in. That is the function of Neutral gear.
There is additional point that THAT particular action should not allow for simple switch toggle to get it back in operation. It requires a determined separate action. This is why Notaus switches have to be rotated for release.

But 12V system will continue to operate lights and brakes will still have servo function and steering will work... failsafe operation is not (should not be) dependent on a single system. This is why you still have 12V battery and DCDC on top of that.

Of course there probably is additional safety requirement for a case of accident and other for EMC etc...
The point is those are separate requirements and shouldnt be mixed together for fear of defeating the robustness of your solution(s). I.e. failsafe method of operation etc...

[EV_Builder]

I have read it. It's about a "safe state" not about shutting "off".
I'm not saying that a safe state doesn't mean you shut something off what i try to preach is that it could be more sophisticated sequence.
That why there exist safety controllers etc.

If i was the builder i would give the safety button multiple break contacts. One which indeed switches drive to neutral and the second activates delay timer. After x seconds relais of main battery are opened.

In that way you safe state the vehicle "controlled" with KISS components and you have dual independent layer.

[arber333]

I have read it. It's about a "safe state" not about shutting "off".
I'm not saying that a safe state doesn't mean you shut something off what i try to preach is that it could be more sophisticated sequence.
That why there exist safety controllers etc.

If i was the builder i would give the safety button multiple break contacts. One which indeed switches drive to neutral and the second activates delay timer. After x seconds relais of main battery are opened.

In that way you safe state the vehicle "controlled" with KISS components and you have dual independent layer.

I understand. But homo sapiens is not a predictive animal and OEMs cant rely on human doing the right thing.
This is why we try to establish uniform procedures to help operators of complex machines. We all learn what N means and how to get vehicle there. So we can safely assume driver behaviour will follow that scheme every time.
There are also mechanical solutions like interlock. If some connector with interlock gets broken or disconnected it will immediately remove power holding contactors closed

[EV_Builder]

I don't get your point. I didn't couple any human action into the Estop except pressing that button.

OP writes about Estop sequence disconnecting the pack and freeing the wheels. Call it a non coupled 2 stage Estop. So the disconnects happens anyway but the drive does get the Chance to save it self.
It all depends on requirements of the timing. But normally one wants to brake first anyway....

Like a robot gets the chance to slow down before being powerless.

So yes use all those switches etc. but use a safety relais with a timer so drive indeed can switch to neutral but the working doesn't depend on ever reaching that neutral or not.

HVIL circuitry should be fit for this and could be used in the last stage too.

We are talking small delays anyway. Enough to safe the drive and enough to be responsive.

[muehlpower]

I don't get your point. I didn't couple any human action into the Estop except pressing that button.

OP writes about Estop sequence disconnecting the pack and freeing the wheels. Call it a non coupled 2 stage Estop. So the disconnects happens anyway but the drive does get the Chance to save it self.
It all depends on requirements of the timing. But normally one wants to brake first anyway....

Like a robot gets the chance to slow down before being powerless.

So yes use all those switches etc. but use a safety relais with a timer so drive indeed can switch to neutral but the working doesn't depend on ever reaching that neutral or not.

HVIL circuitry should be fit for this and could be used in the last stage too.

We are talking small delays anyway. Enough to safe the drive and enough to be responsive.

the function you describe could already be done with a capacitor and a diode in front of the corresponding relay (main contactors). If done skillfully, it would work with any type of shutdown, ignition, crash sensor, emergency stop.

[EV_Builder]

Yes sure! That's implementation considerations but i agree we don't need an uC for everything.

[catphish]

In my opinion the *best* solution here is a two stage circuit. The first thing to do is always to hit the emcystop input of the inverter. This will *instantly* shut down all IGBTs. It has the same effect as going into neutral, but totally overriding the software, and not waiting for the next PWM cycle.
Once this has been done, there will be a short period where unwanted regen is occurring. This is the danger zone where opening the contactors will fly the inverter. In an induction motor, this may be in the order of hundreds of milliseconds. Then, if required, after some delay managed by a small delay circuit, you could open the contactors.

With that said, I would likely not do any of that. On a more practical front, you may not have access to the emcystop pin. The SDU certainly doesn't have this externally exposed. In this case, I would simply have the emergency stop button but the inverter into neutral. The way the code is written, this is also a very direct way to stop the inverter (PWM output is totally stopped in neutral).

I wouldn't want to risk such a switch being accidentally activated and blowing up my inverter, so most likely I wouldn't link it to the contactors at all, as long as shutting down the inverter meets the legal requirement, I think wiring it in parallel with the gear selector is sufficient for the huge majority of requirements.

Of course if you do need to shut off the HV in an emergency, you should be able to use the ignition switch.

This information applies to the Tesla drive units. Other inverters and motors may behave very unpleasantly if you drop them into neutral at speed, so always consult your manual before following my advice!

[celeron55]

The way I would think about it is, you don't want the button to have a chance of breaking equipment because then you won't press it when you have to. You won't really even be able to test whether it works in a realistic situation.

If an uninformed driver presses it, they surely don't think they'll have to have the entire HV system replaced for thousands of €.

Also note that by shutting down PWM in a permanent magnet motor, if you're in the field weakening zone (above base frequency) you may partially lock the drive wheels until speed decreases to base frequency. Regardless, if you have the chance do this, it's probably the best solution.

As said, it's possible on many openinverter boards. It's also possible with e.g. the stop input of the GS450H inverter which is generally connected to the P gear selection. Not sure if it directly shuts down PWM but being OEM I'm sure it will do what it needs to even if it's just software inside.

Probably what I'd do is immediately put the gear selector in neutral and with an abundant delay open the contactors.

I'd connect the inertia switch to do something similar.

Personally in my cars I'm planning to add an inertia switch, but with no hardwired function. It will stop the throttle command and after a delay open the contactors, in software, possibly even checking that the car has actually stopped before doing that. The goal IMO is to have the contactors open by the time someone comes to dig yourself out of the car after an accident.

[johu]

The way I would think about it is, you don't want the button to have a chance of breaking equipment because then you won't press it when you have to. You won't really even be able to test whether it works in a realistic situation.

Much agree on that. In the runaway situation with Touran I didn't dare just turning the ignition off because I was afraid of being stranded in a very non-favorable spot in case it would cause any sort of destruction. So instead I just hit the brakes hard which also enabled me to stop somewhere where it was not dangerous to do so.

With async motors/sine firmware the solution is easy as indeed the PWM is shut down by going into neutral.

With sync motors/foc firmware the safe state is far from obvious. Simple PWM shutdown leads to temporarily locked up wheels if you're in overspeed (a very probable speed region in a runaway condition) and a pretty terrible current surge. That's why the PWM isn't shut down in FOC firmware when going into neutral.

Opening the contactors will very likely destroy your inverter and the contactors themselves.
EDIT: safety equipment itself can turn into a hazard. So if your fancy button/inertia switch/its wiring/connector fails and it rips your contactors open you could find yourself in a very unsafe situation.

So it has to be a software-defined shutdown. No easy answers here.

[rstevens81]

The only solution I can come up with is to use a fuel pump inertia switch wired into the positive (after fuse) side of the contactors.
Or if your using a relay to trigger your 12v which includes the contactors then the input to the coil would be a good place.
The current rating seems to be ok at 10 amps that should be ok for a contactor. OBS you still run risk of loose connection causing contactors to open but just need to make extra sure the connections are good.
https://www.carbuilder.com/uk/inertia-safety-switch

Inertia sensors for fuel pumps are designed to that they will go off in a crash but not before (see accn plot in link).
Tbh I don't really care what happens to my inverter once I have crashed as that will most likely be the least of my worries.

As both johu and celeron have stated there are no perfect options ... Just pick one your happiest with.

[EV_Builder]

The only solution I can come up with is to use a fuel pump inertia switch wired into the positive (after fuse) side of the contactors.
Or if your using a relay to trigger your 12v which includes the contactors then the input to the coil would be a good place.
The current rating seems to be ok at 10 amps that should be ok for a contactor. OBS you still run risk of loose connection causing contactors to open but just need to make extra sure the connections are good.
https://www.carbuilder.com/uk/inertia-safety-switch

Inertia sensors for fuel pumps are designed to that they will go off in a crash but not before (see accn plot in link).
Tbh I don't really care what happens to my inverter once I have crashed as that will most likely be the least of my worries.

As both johu and celeron have stated there are no perfect options ... Just pick one your happiest with.

Well a crash sensor to disconnect mains from a EV is a surely a good idea!
We don't want the car tobe come HV- or HV+ or generating a short between the two.

[xp677]

I just stumbled on this while searching for another topic. This falls within my field of work, so I might be able to shed some light on the matter.

Emergency stop systems should be designed such that the user must not need to consider the repercussions of using the emergency stop function. That is, there should never be an option to think "will this cause damage", etc. The same concerns mentioned here are also applied within industrial automation systems, and measures to mitigate them are built into the safety systems which we design.

Have a look at this document on emergency stop categories: https://machinerysafety101.com/2010/09/ ... ategories/

I think it's been established above, in this thread, that a category 0 stop is inappropriate for an EV. As such, an emergency stop button would likely best used to trigger a category 1 stop, using code which requests zero torque from the inverter, disables auxiliary functions (cabin heater, AC pump, etc), and then opens the contactors once certain conditions are met (vehicle speed, current reading through contactors, etc).

I also agree that an inertia switch could be used to trigger a category 0 stop, since if the car has crashed, more importance is placed on the immediate safe isolation of HV components, rather than loss prevention of switching hardware.

When implementing such functions, it's important to ensure that we have a sufficient level of diagnostic coverage on the chosen components: https://machinerysafety101.com/2017/02/ ... is-part-5/

For example, most emergency stop switches are dual channel, with either 1 NO and 1 NC contact, or 2NC contacts. Separate test pulses are generated by a safety PLC for each contact, and the responses are monitored cyclically. This ensures that if one contact were to fail, the other would be able to operate, and just as importantly, the safety system would know about the failure as soon as it occurs - rather than when the button is next pressed!

I'm currently working on a vehicle controller for a new project, as part of this I am implementing a safety system which sends pulses to various components, including HV interlocks, contactor feedback, estop switch, and an intertia switch. The system monitors these for activation or failure, comparing the results with the expected state of each input, and executing a safe stop if required. The hardware is based on that found within an industrial safety PLC (this one: https://www.pilz.com/en-NL/eshop/Small- ... p/p/772002). In fact, an off-the-shelf unit such as this could be used for EV project safety. (note that these are much cheaper second hand!)

[modellfan]

What is happening, if I remove the 12V supply of the Open Inverter controll board when hitting the emergency switch?

I am thinking of building up a system with a VCU that can switch between a charging mode -> VCU closes contactors no voltage to oi board and a drive mode -> 12 V to OI board. Addditonaly I can double trip the contactors when oi is running. That would even in a reboot event of OI save my SDUs life.

[arber333]

What is happening, if I remove the 12V supply of the Open Inverter controll board when hitting the emergency switch?

I am thinking of building up a system with a VCU that can switch between a charging mode -> VCU closes contactors no voltage to oi board and a drive mode -> 12 V to OI board. Addditonaly I can double trip the contactors when oi is running. That would even in a reboot event of OI save my SDUs life.

That is not a desirable situation as OI chip would go into brownout before supply would be fully discharged and its pins may become undefined. Gate drivers may have a problem with that...killing IGBTs.
Your best method would be to remove 12V from MPROT or EMGCY signals depending on your OI board version.

[EV_Builder]

If I was you I would try to bring the HVIL signal external. That signal is designed tobe Estopish behaviour. And still I advise to study it's working tobe sure you aren't safe by feeling instead of by design.

[johu]

Yes, that would be the only external signal that kills PWM on SDU boards. Be aware you need to pull it to ground to disable PWM. Simply dropping 5V won't turn it off. Oh and yes, it's a 5V signal, not 12V

[EV_Builder]

Is it an hardware signal or a software one?
Does it go to a logic gate for example or is it read as an input?

@OP:
So keep 12Volt high, but drop an relais which pulls this line to ground (on the correct place, in the correct way pull down?!?).. etc.

[johu]

It's a hardware signal, one of the nand trees inputs