Peter C. Thompson via EV wrote:
In a bus system (USB, CANbus, etc.) any failed
device takes out the entire system.
Actually not correct. CAN BUS works if a unit fails - UNLESS that unit
is blasting data on the bus.
But, that is one of the failure modes. It could also fail by shorting
the bus, or doing something else that prevents transfers. If there's a
micro in every node, the ways it can crash are endless.
Most likely, there will be separate circuits for each, so one
failure doesn't take them all out.
Redundancy is a nice-to-have feature, but overkill for this purpose.
Are you sure? If you build a system with 100+ micros (especially cheap
ones, made offshore, not conformally coated, with no watchdogs, etc.)
the odds of failure are pretty high. If each has an MTBF (mean time
before failure) of 100 years, one is likely to die about once a year.
Would *you* want a car that quits working every year, because one of
them fails, buried deep in a sealed-up pack, and the dealer wants to
replace the entire pack to fix it?
If you have a major failure that takes out the bus, then it is common
sense to stop the system.
Yes. But common sense is pretty uncommon. People routinely defeat
automatic safety shutdowns so they can keep using it anyway.
How many people do you know that put black tape over the "check engine"
light so they can just keep driving? In that case, they may wreck their
engine for lack of oil, loss of coolant, etc. But in this case,
defeating or ignoring the "check battery" light can cause a fire!
I used the Elithion system for my first iteration of CALB battery pack.
I LOVED the data gathering aspect, but HATED the communication failures
that were all too common.
I then switched to the miniBMS, and it covered all of my needs - EXCEPT
for data gathering.
Both systems covered the safety aspects, just had different approaches
to how communication needed to work.
Elithion - RS232, miniBMS - open a circuit in case of trouble.
These are perfect examples of what I'm talking about. The complex system
is great when it works, but it's not likely to be reliable. The simple
system is more likely to work.
But note that people still reported lots of failures even with the
simpler miniBMS. It is really *really* hard to design cheap things with
low failure rates!
If we are to create a new system, we could definitely provide the data
monitoring as well as safety monitoring - as long as we are using a
robust communication transport. For me, that's either CAN BUS or
100BaseT1. Both are well proven in automotive environments.
They could work. But keep the communication circuits *separate* from the
safety circuits.
For one thing, you want the safety circuit to be able to say, "reported
cell voltages are wrong!"
This is a case where redundant circuits are necessary, because mistakes
can KILL people.
Lee
--
If happiness is on your mind, here's a daily list to find:
- something to do
- something to look forward to
- someone to love
- someone to take good care of
- and misbehave, just a little
--
Lee Hart, 814 8th Ave N, Sartell MN 56377, www.sunrise-ev.com
_______________________________________________
UNSUBSCRIBE: http://www.evdl.org/help/index.html#usub
ARCHIVE: http://www.evdl.org/archive/index.html
INFO: http://lists.evdl.org/listinfo.cgi/ev-evdl.org
Please discuss EV drag racing at NEDRA (http://groups.yahoo.com/group/NEDRA)
