This school year, I redesigned HyTech Racing’s Formula SAE Brake System Plausibility Device (BSPD). Formula SAE Electric has a ruleset which competing teams must follow, and the BSPD is one of the required safety systems defined in these rules. The BSPD is a safety mechanism to prevent a runaway vehicle. It has two sensor inputs. One senses how much current is traveling from the high voltage battery pack into the motor. The other senses whether the brakes are being actuated. The idea is that if the motor keeps outputting torque after the driver has let off the accelerator pedal, they can press the brake pedal, which will initiate a hardware shutdown of the high voltage system, cutting off power to the motor.
Requirements
The requirements for the BSPD are laid out in the 2017 FSAE Rules, section EV5.6:
A standalone non-programmable circuit must be used on the car such that when braking hard (without locking the wheels) and when a positive current is delivered from the motor controller (a current to propel the vehicle forward), the AIRs will be opened. The current limit for triggering the circuit must be set at a level where 5kW of electrical power in the DC circuit is delivered to the motors at the nominal battery voltage. The action of opening the AIRs must occur if the implausibility is persistent for more than 0.5sec. This device must be provided in addition to the plausibility checks which are carried out by the controller which interprets the drivers torque request and delivers torque to the wheels. See also EV5.1.4 and EV5.1.5 regarding the re-activation of the tractive system after triggering of the BSPD.
Solution
Parsing the rule out, we first see that the circuit must not be programmable. I used comparators, op-amps, logic gates, and relays, along with passive components such as resistors and capacitors - no software involved.
Next, we see the phrase “when braking hard (without locking the wheels)”. This sounds complicated, but from online discussions, the passing of our ESF, and our own tech inspection at FSAE Electric, it becomes clear that they really only require this circuit to check for hard braking. We set this value by pressing the brake pedal as hard as possible by hand, and recording the resulting voltage output by our brake pressure transducer. When pressing hard with one’s foot, this value is easily exceeded.
In addition to checking if the brake pedal is pressed hard, this circuit needs to sense the current going from the high voltage battery pack to the motor. Instead of using a threshold of 5kW, which would mean a variable current as the battery pack voltage changes, the rule specifies that we can use the current required to produce 5kW of power at the pack’s nominal voltage. This means we can compare our current sensor output to a static threshold. To calculate the threshold voltage for the current sensor, we first need to calculate the threshold current. For this, we simply divide 5kW by the vehicle’s nominal battery voltage (266.4V), giving us 18.77A (5,000V*A/266.4V=18.77A). Next, we calculate the output voltage from our ISB-100-A-604 current sensor at 18.77A. Since the sensor has a linear output of 2.5V at 0A and 4.5V at 100A, we get the formula v(a)=a/100*2+2.5. For a=18.77A we get v=2.875V. This is our threshold voltage for the BSPD current sensor input.
The BSPD should take in both of these sensor values, and open the AIRs (Accumulator Isolation Relays) if the sensor values are above their respective thresholds concurrently. AIRs are the high voltage contactors on each of the poles of the battery pack that isolate the high voltage circuit from the rest of the vehicle when the vehicle is not running. The vehicle is required to have a “Shutdown Circuit”, which is a sequence of safety systems wired in series, any of which can interrupt the signal used to power the AIR coils. To meet this required functionality, our BSPD controls a relay which can open the Shutdown Circuit.
Implementation
This BSPD implementation processes each sensor input by comparing it to a threshold voltage with an MCP6542 comparator. For each channel, a potentiometer is used to create the comparison voltage. The output of each comparator channel is driven high whenever the sensor signal exceeds the voltage of the corresponding potentiometer. These two outputs are fed into a SN74AHC1G09 AND gate. This gate has an open-drain output, so whenever both comparator output signals are high (signaling that both brake and current sensors are above their thresholds), this AND gate output will switch to high-impedance. This high-impedance output basically means that the gate output acts as an open circuit. If both sensors are not above their thresholds, the AND gate will pull the output pin to GND. The reason I chose this functionality was because it makes it easy to integrate with an RC timer circuit.
Why would we want to use a timer? The rule states that the AIRs must only be opened if the implausibility (both sensors are above their thresholds) is persistent for over 0.5 seconds. While one naive solution would be to open the high voltage contactors as soon as both fault conditions are met, we wanted to lower the possibility that our BSPD triggers during normal driving. By requiring the implausibility to persist for about half a second before triggering, we curb one of the most likely reasons for the BSPD to get triggered. If the driver were to press the brake and accelerator pedals simultaneously, the APPS / Brake Pedal Plausibility Check would kick in, shutting down torque to the motor. However, for some brief time there might be a high level of current flowing through the battery pack which could set off the BSPD. Waiting for the condition to exist up to 0.5 seconds before triggering the BSPD makes this a much smaller concern.
Our timer utilizes a single .47μF capacitor and a 680kΩ resistor to charge it. During normal operation the SN74AHC1G09 AND gate output is pulled to ground, and the capacitor discharges through a 330Ω resistor. This resistance value is much lower so that the capacitor can quickly discharge if a fault condition no longer exists. This 330Ω resistor technically sets up a resistor divider, meaning the capacitor will not discharge below .0024V (5V*(330/(330+680000))=.0024V). Since 330Ω is several orders of magnitude below the 680kΩ resistor value, and considering these are 1% tolerance components, we can probably ignore this when calculating the RC timer characteristics. My go-to online RC timer calculator calculates that the capacitor will reach 3.95V at 0.5 seconds, so we set the RC timer threshold potentiometer to output this voltage.
The capacitor and threshhold potentiometer are both fed into another MCP6542 comparator. When the capacitor voltage exceeds the potentiometer, meaning the fault conditions have persisted for 0.5 seconds, the comparator drives its output high. If the BSPD_ENABLE jumper is installed, this then powers a CPC1002N solid state relay which switches 12V to a DPDT relay. In order to meet EV5.1.4 and EV5.1.5, this relay is configured to latch the Shutdown Circuit open, so even if the fault condition clears, the relay continues to power itself. The circuit will remain latched until GLV power is recycled from the GLV Master Switch, which is not accessible to the driver.
Extra Functionality
When designing this BSPD, there are few extra features that I added. First, I added pull-up resistors to the BSPD inputs. What this means is that if the signal from the sensor the BSPD gets interrupted, the BSPD will detect a fault condition for that channel. While this was not listed as a rule requirement for the BSPD, it could come up on the Failure Modes and Effects Analysis (FMEA) or during tech inspection since it is a safety issue. Another addition was an RC filter on each input. After dealing with noise issues with our Accelerator Pedal Position Sensor (APPS), we added similar filters to the pedal sensor outputs. Since the BSPD could be similarly affected by noise, we thought it best to add filters to these sense lines as well.
Another item I added was a normally open relay in series on the Shutdown Circuit. While not part of the BSPD rules, EV5.1.6 states:
All circuits that are part of the shutdown circuit must be designed in a way, that in the de-energized/disconnected state they are open such that each circuit will remove the current controlling the AIRs.
Since our latching relay configuration leaves the Shutdown Circuit normally closed, it seems to not meet this rule. By adding the normally open relay and considering both relays to be part of the single BSPD circuit, this design was able to work around EV5.1.6.
In addition, I added a system of LED indicators and probe points. Many of the BSPD signals drive LEDs so the status of the BSPD can be easily ascertained. For example, a red LED turns on when the brake sensor output exceeds its threshold, and a yellow LED shows the same for the current sensor. A second AND gate in parallel with the SN74AHC1G09 chip drives an LED whenever both fault conditions are met simultaneously. Input signals as well as internal signals have probe points attached, allowing us to test the circuit and show the tech inspectors the internal workings of the BSPD. At FSAE Electric, we found that they did not have any questions about our BSPD, and simply wanted us to show that raising the current sensor BSPD input above some threshold while pressing the brake would trip the BSPD. Images showing the status LEDs are below, and the title image of this post shows the probe points.
Future updates
One change that I would recommend in a future update would be to allow for resistors to be soldered in place of potentiometers. Once the components are chosen and the system is built, there isn’t really a need to adjust the thresholds for the brake pressure transducer, current sensor, or RC timer. Utilizing potentiometers leaves the circuit open to accidental adjustment which could either cause the BSPD to not work when needed, or cause it to trigger under the wrong conditions. For FSAE Electric this year, we did replace the current sensor threshold potentiometer with two 0805 resistors, since they fit well with the potentiometer package. A better design would include pads for soldering the resistors, or might just replace the potentiometers with resistors, since the circuit can be calibrated without the use of potentiometers.
Board
The BSPD is integrated into the 2-layer Front ECU PCB on our vehicle. Linked here are the schematic and board files. The images below show Front ECU rev5 which is very similar to the rev7 used at FSAE Electric this year.
