Page 2 of 2

Re: pyBoard compatible E-Bike Computer - The pyEC

Posted: Mon Mar 02, 2020 9:43 am
by pythoncoder
metri wrote:
Sun Mar 01, 2020 1:43 pm
Is your concern in general about micro-controllers, or because this one is using microPython? I'm also curious about systems like self-balancing unicycles, how much redundancy do they have? I point out that one in particular as the high speed ones can go 50km/h and can't coast. Do you feel most electric motor controllers for E-bikes have this much redundancy built in?...
I am not expert in safety critical systems - just a retired electronics engineer. The concept of triple-redundancy with systems developed by separate teams is the architecture of control systems for things such as fly-by-wire aircraft and nuclear reactors. It applies to any system where an electronic control system intervenes between a human controller and a dangerous system, where the control system could put the system into a dangerous state independently of the actions of the human controller. The circumstance could be any type of hardware or software failure. The idea of using separate teams is to ensure that a design fault doesn't cause all three redundant systems to fail simultaneously. The concept has nothing to do with MicroPython or any specific implementation detail. Any computer can crash.

The architecture has practical difficulties, notably the design of the majority voter. This is well above my pay grade ;)

I have no idea which practical systems conform to this concept. I doubt cheap Chinese unicycles do, and I wouldn't ride one in circumstances where malfunction would cause serious injury. I'm talking protective clothing and an open area free of obstacles. In the worst-case you can jump off. A motorcycle in traffic does not have that guaranteed get-out.

I would very much hope that cars with "fly by wire" throttles or brakes conform. As for e-bikes, if there's a processor between the throttle and the motor, I would hope so. But ultimately the motor will be driven by electronics like a PWM controller. Hard to implement redundancy there, but a semiconductor could fail. You've raised a very interesting question; alas I don't know the answer.

Would I want to trust my life to a PWM controller of unknown origin??

As an amateur I wouldn't touch a control system with safety critical implications. My self-balancing robot fell over often enough, and it had only itself to hurt ;)

Re: pyBoard compatible E-Bike Computer - The pyEC

Posted: Tue Mar 03, 2020 12:37 pm
by metri
pythoncoder wrote:
Mon Mar 02, 2020 9:43 am
Would I want to trust my life to a PWM controller of unknown origin??
Thanks so much for the detailed reply. I had few thoughts to add. There are several kinds of processor problems I can think of, one is undesired code and another is a real crash. In my motor controller, there is no backup processor, but likely a watchdog timer. In the event of a software problem, there could be a runaway motor condition, but through proper testing this chance can be minimized (This relates to my Kelly Controller KLS controller). Now in the event of a crash, and assuming no watchdog or a watchdog malfunction, what happens? For a motor controller, the processor has stopped so we have to assume timers etc. have stopped functioning, leaving the question of what happens to the outputs? If they go low, motor coasts to a stop. If one stays high, you may have a phase energized causing you to stop sooner than later. I can't see any scenario where the motor, due to a crash gets into a runaway condition as this would require calculations based on back EMF to continue spinning the motor. I have some experience with motor controllers and electric unicycles and haven't seen multiple processors. Specifically VESC, O-Drive and Kelly Controllers KLS. I don't recall a second either in the RoboteQ controller I opened, but I'll have to search for pictures. I have 2 Chinese electric unicycles, and yes perhaps they are dangerous, but very fun, and I doubt they have redundant processors. Neither of which has failed, though I admit it's possible. This is not to say you shouldn't, and I have only limited visual inspection of PCBs to conclude no second processor (except VESC & O-drive as design is open source), but I don't think it's common on low end devices. If we take this as true, we can move on to adding a my pyEC, inline in the system and how this changes the situation.

If I add a throttle map, controlled by pyEC between driver's throttle input and the motor controller, the situation is different. Assume same 2 conditions, ignore software error condition for now and consider only the high output condition on an io pin (DAC pin in this case). During an MCU crash(by crash I mean stops executing code) not recovered by watchdog timer, we now have a high throttle input to the motor controller with no way for the user to disengage it. Adding a physical bypass switch would do the job, but the time it takes to hit the switch could be too slow. You could have a separate external watchdog circuit that could connect the input -> output of the throttle. Basically a digital switch. In the even of no active input from MCU, throttle is automatically returned to driver control. I'll think about how to do this. I'm thinking with a watchdog timer, and a second auto-disconnect circuit, safety level would be comparable to the motor controllers level of safety.

I really appreciate all the input, and safety is the most important design consideration.

Re: pyBoard compatible E-Bike Computer - The pyEC

Posted: Sat Mar 07, 2020 8:25 pm
by vikebo
For road vehicles ISO2626 is the standards for functional safety of electrical and electronic systems.

If you have a look at figure 1 here: ... ed-1:v1:en
you can see that it applies from before the concept phase through decommissioning the product. You would need a well defined development process and extensive documentation to work according to the standard.

On the topics of safety measures you discuss, hazard analysis and the automotive safety integrity level (ASIL) rating would help to choose solutions (A is for automotive, ASIL is similar, but not the same as SIL). Have a look at table 1 and 2 here: ... ulfunction

In short, you evaluate various relevant hazardous events involving the system for the complete vehicle in question and come up with ratings for severity (S, from moderate injuries to fatal accident), exposure (E, from unlikely to occur or likely to happen during every drive) and controllability (C, from easily handled by most drivers to uncontrollable). The combination will give you the ASIL rating from table 1. When you know the ASIL rating you will know more of what is required.

For the ratings above QM you would choose critical parts like sensors, motor driver, microcontroller, operating system and software development tools which have also been developed and manufactured to meet the ASIL rating. A search for "ASIL microcontroller" will give you examples.

As the second document shows, it is not trivial to develop the throttle control for a combustion engine in a motorbike either.

I think MSIL has been added to the standard after the above document was written and applies to motorbikes instead of ASIL, but the idea is probably similar. More details here: ... o-wheelers


Re: pyBoard compatible E-Bike Computer - The pyEC

Posted: Sun May 10, 2020 2:30 am
by metri
That's great info thanks! For now I'm not controlling throttle with the pyEC, though I would like to in the future. These standards represent best practice but I wonder how general hover boards, electric unicycles and ebikes are designed where safety is concerned. I'm not suggesting cutting corners, but just curious about how any of this is regulated on these cheaper vehicles. Especially the self balancing ones.

Re: pyBoard compatible E-Bike Computer - The pyEC

Posted: Sun May 10, 2020 10:29 am
by pythoncoder
The self balancing ones aren't authorised for use on public roads. Certainly not here in the UK; my guess is anywhere. They lack necessary features. Like brakes...

Given the reports of hoverboards spontaneously combusting and torching houses I don't think they are built to particularly high standards.