I am working on a safety-critical project (autonomous vehicles). As such, we need rigorous redundancy controls.

I am controlling a DC motor (that actuates the brake pedal) from a micro-controller (still unsure which one specifically, but probably Cypress PSoC 5LP). The idea was to have this micro-controller control the motor via a primary pwm motor-controller, and also send a heartbeat pulse to an isolated watchdog timer which would then activate the braking actuator via a secondary pwm motor-controller. This is to ensure redundancy of all electrical and software components, including the motor controller itself.

I am a mechanical engineering student, so my knowledge of electronics is limited. My question is two-fold; do you think this is a good way to go about this? Do you have any suggestions to how I could improve this system? Secondly, how would I go about having two motor controllers control the single motor? Is this even possible? Would it be possible to create a (very rigorous, as this would be itself a single point of failure) circuit that priorities one of motor controllers over the other?

 

To be fail-safe (safety critical), your brake should be on by default, and your controllers release the brake when under command of any controller. This way, if something fails to communicate or hardware failure, the brake controller releases control, and the brake automatically comes on. Think of it as similar to trains, they use air lines to power cylinders to release the brakes, which are on by default (spring loaded?). Any break in the air line (fault), and the brakes engage to stop the train.
How one does that with your vehicle becomes an exercise for you to figure out. Good luck.

 

A watchdog is essentially the lowest level of protection.

A higher level is address traps where a CPU exception is generated in
by an illegal access to a memory area. Or nonaligned access.

https://www.segger.com/downloads/application-notes/AN00016

http://www.keil.com/appnotes/files/apnt209.pdf


Another approach is dual processor, one being a literal dual where each
processor checks on the other looking for state discrepancies. One possible
approach is PSOC 6 dual M0+ and M4 core. In that case you would not be
doing a literal dual, rather a sophisticated messaging system where each
other checks on some states and activity. Can be done with various degrees
of complexity. You might search NASA web site resources for this general
topic, they of course do a lot of work in non stop computing and are subjected
to memory faults because of generalized ion induced radiation environment.

PSOC does not have all the analog capability as 5LP, like 20 bit DelSig, but does
have scanning 12 bit SAR and 12 bit non dithered VDAC. Trade offs, always trade
offs.


Regards, Dana.

 

Just to amplify one of danadak's points: There are MCUs which are fully redundant multiprocessors, running in Lock Step Mode (LSM) with a bus-level comparator that generates a fault if Any results disagree. They also have (given their markets: aircraft and cars) a ton of self-diagnostics. This (mostly) happens under the covers, and the software (mostly) doesn't need to care.

The ones I know (NXP and TI) are somewhat mundane (no whizzy PSoC features), and aren't particularly simple, low-power, or cheap, but may pay for themselves in the context of a $few-million SIL/DAL Certification process.

 

Most likely failure mode is shorted output transistors- possibly leading to full power runaway.

Your MCU failing is hazardous but worry more about the system as a whole.