Design and Implementation of Safety Monitoring Function for Electric Vehicle Motor Control System

Motor control system is an important part of electric vehicle. The reliability of motor control system is particularly important for the safety of electric vehicles. The vehicle safety integrity level defined by ISO26262 divides the safety objectives of the whole vehicle into four levels, ASIL A, ASIL B, ASIL C and ASIL D, from low to high. According to the functional safety requirements decomposed by the safety objectives of the whole vehicle and corresponding to the relevant parts, it can be seen that the functional safety requirements related to the motor control system must at least meet the safety level of ASIL C to meet the functional safety objectives of the whole vehicle. However, the traditional motor controller is made of a single motor control chip, which is often difficult to reach ASIL C. Therefore, this paper presents a design scheme of safety monitoring for the motor control system of pure electric vehicles. By adding a safety monitoring chip CIC61508 to monitor the motor control chip, the safety level of the system is improved to meet the ASIL C standard, so as to meet the growing requirements of vehicle safety.

2 Safety monitoring function system architecture

The safety monitoring function of the electric vehicle motor control system described in this paper is divided into two levels - hardware level and software level.

The hardware level safety monitoring function system architecture includes the motor control chip that controls the motor operation, the safety monitoring chip, the power supply monitoring module that monitors the power supply voltage of the motor control chip, the voltage monitoring module that monitors the DC voltage, the current monitoring module that monitors the motor phase current, the temperature monitoring module that monitors the inverter temperature, and the hardware watchdog module.

The software-level safety monitoring function includes voltage monitoring, current monitoring, temperature monitoring, speed monitoring, torque monitoring, power monitoring, mode monitoring, communication monitoring realized in the motor control chip, and safety monitoring calling program realized in the safety monitoring chip.

3 Software and hardware design

3.1 Hardware system design

3.1.1 Selection of motor control chip

The motor control chip is the TC1782 high-performance microprocessor of Infineon's 32-bit TriCore series. TC1782 has good performance in power consumption, computing power, storage space, digital analog input and output, and CAN communication, and has high cost performance, which is very suitable for electric vehicle motor control system.

3.1.2 Selection of safety monitoring chip

The security monitoring chip adopts Infineon CIC61508 chip. CIC61508 security monitoring chip is a cost-effective choice in the security application field because of its small package size and space saving. The safety monitoring circuit monitors the working condition of the motor control chip by detecting the common failure modes of the motor control chip, such as the clock, power supply and temperature-related calculation errors.

3.1.3 Hardware circuit design

The motor control chip TC1782 communicates with the safety monitoring chip CIC61508 and the rotary transformer decoding chip AU6803 through two sets of SPI; Receive or send digital quantity through GPIO; Send six PWM signals to the gate driver chip through the PWM channel; Sampling current, voltage, temperature and other information through ADC module; Communicate with the bus through the CAN module. The hardware circuit also includes power supply module and watchdog module. The hardware circuit schematic diagram is shown in Figure 3.

3.2 Software design

3.2.1 Design principle

The safety monitoring function proposed in this paper ensures the normal operation of the motor control system through two-level monitoring at the hardware level and the software level, including the monitoring of the motor load and the monitoring of the motor control chip.

The principle of the motor load monitoring function is to determine whether the motor load is working normally through the sampled current, voltage, temperature, position and other signals as well as the fault information from the hardware monitoring circuit. Once the abnormality is detected, the motor control system will enter the fault processing program.

The safety monitoring function of the motor control chip is completed by the self-check of the motor control chip and the CIC61508 safety monitoring chip. The motor control chip will conduct self-inspection after power-on to test whether the configuration of each module is normal. If it is abnormal, it will enter the fault handling program; During the normal operation of the program, the motor control chip will periodically test the configuration, memory and control tasks of each module. At the same time, the motor control chip will send specific test tasks to CIC61508 safety monitoring chip for testing, and feed back the test results to the motor control chip. The motor control chip compares its own operation results with the feedback results to determine whether the motor control chip works normally.

3.2.2 Specific implementation

The motor control chip samples the sensor supply voltage, chip supply voltage, bus current, bus voltage, phase current of phase A and C, motor temperature, inverter temperature and other signals through the ADC module; Receive fault information from hardware monitoring circuit through GPI interface, mainly including power supply voltage fault of motor control chip, DC voltage overvoltage fault, motor phase current overcurrent fault, inverter over-temperature fault, inverter saturation fault, position sensor fault, etc; Receive motor position information and safety monitoring chip information through SPI. The motor control chip sends the test task to the safety monitoring chip through SPI, and the safety monitoring chip feeds back the test results to the motor control chip for comparison. If the test results are consistent, it will prove that the motor control chip works normally, otherwise it will enter the fault processing program.

4 Working process

The main flow chart of the safety monitoring algorithm of the motor control system is shown in Figure 4. When the controller is started:

Step, initialize and configure each module of the motor control chip so that each module is configured in the state of normal operation. After initialization, judge the initialization state of each module. If there is a module that fails to initialize, report the module fault code and enter the failure mode.

The second step is to conduct self-inspection for each module of the motor control chip. As shown in Figure 5, the self-test program will test the memory, IO module, AD sampling module, communication module, PWM module, watchdog and other modules. The specific tests are as follows:

Memory test: mainly tests the RAM, ROM and Flash used by the program to verify whether the RAM works normally, whether the software in the ROM is changed, and whether the reading is normal;

IO module test: test whether the IO module works normally and whether the IO control unit is configured correctly;

AD sampling module test: test whether the AD sampling module works normally, whether the sampling frequency, channel selection are correct, and whether the control unit setting is correct;

Communication module test: test whether the CAN communication and SPI communication modules work normally, whether the baud rate setting is correct, whether the module configuration is correct, whether the communication with the security monitoring chip is normal, and whether the security monitoring chip works normally;

PWM module test: test whether the PWM module works normally, whether the clock setting is correct, and whether the output channel configuration is correct;

Watchdog test: test whether the watchdog timing, time configuration are correct and can work normally.

If these tests pass, it means that each module works normally, the system configuration is correct, and the system can continue to operate if the system operation conditions are met; If the test fails, it is necessary to record the failed module error code, and the system will enter the fault mode and send the error code through CAN.

After these tests are passed, the system enters the normal cycle operation mode; If the self-test fails, the system will report the self-test fault code and enter the fault mode.

The third step is system cycle control task. All the work of motor control is completed in this part, which is also the traditional motor control part. Power supply monitoring, voltage monitoring, current monitoring, temperature monitoring, speed monitoring and external watchdog monitoring are all completed in this part. If there is a fault in the system, it will report a fault code and enter the fault mode; If the system is normal, go to the next step.

Step 4, system cycle test task, as shown in Figure 6. The periodic test task is carried out in the motor control chip and the safety monitoring chip at the same time. After the cycle test task starts, first check the configuration files of each module of the motor control chip to test whether the configuration of each module has been illegally changed and whether it is consistent with the normal configuration; Then send specific test tasks to the safety monitoring chip. After receiving the tasks, the safety monitoring chip calculates the test results according to the predetermined algorithm and feeds them back to the motor control chip. These test tasks can be increased or decreased according to the actual needs. The motor control chip judges whether the program is running normally and whether there are unexpected operating results according to the test results of the received safety monitoring chip. If the test results are passed, the system will enter the cycle operation mode, and the cycle control task and cycle test task of the system will be run circularly; If the test fails, the fault code will be reported and the system will enter the fault mode.

5 Conclusion

The safety monitoring function of the motor drive system can not only monitor the operation of the motor load in real time, but also monitor the operation status of the motor control chip, find and handle the fault in time, and the fault diagnosis is comprehensive and the coverage is high, which greatly improves the safety and reliability of the operation of the motor drive system.