Bad design -- no kill switch

[JEB]

My brush-less motor controller failed yesterday in the full on position, fortunately I had a harbor freight dc key type switch within arms length to kill the power.

My other trike has a dc motor on it, I used a house type 220vac circuit breaker (2 poles 50/50 amp in parallel) with a jumper connecting them, using a pull string to disconnect, works fine, and less expensive than a contractor, and less weight.

 

[rf]

Thanks for the link sabongi. Nice to see the e-motocycle folks are thinking about kill switches. I put a few miles in without too much worry -- till I got bit.

Thanks NeilP, I'll take a closer look at the schematic and see if I can defang the CA without throwing it out completely. That sounds great!

-dg, I don't think a bad throttle connection caused this problem. But I'll take another look. Everything was fine after the incident. After my head recovered, anyway ...

It seemed like way more power than just full throttle. Under normal circumstances, from standstill to full speed, my bike is not capable of lifting the front wheel -- even at constant full throttle. But maybe my throttle doesn't give me it's full travel.

It was a lot more power than usual.

I used to wheelie big motorcycles in high school. Sure this bike doesn't weigh much, but it was just a monster that day. Like someone plugged me into a light socket! It happened very fast. I felt like a ski jumper standing way out over the handlebars. Kept the bike from going over backward -- for about a second. It was a situation I knew, so my reflexes were pretty fast. Didn't help. Just put on a show for all the drivers at that busy intersection.

I never had time, or the presence of mind, to grab brakes. I've never used brakes in a wheelie before. :-/ I have it on my list of things to try during future calamities ... I was too busy hanging on this time.

Better power limiting at the controller would have helped. If I hadn't wheelied the brakes could have gotten things under control. To be useful, an ebike needs to be able to carry a large battery for range -- and not let that power to the motor all at once!

teklektik, The CA is standard setup as it came from ebikes.ca a few years back. The controller was modified by them, but with no special requests. It worked fine last time I tried it.

John in CR, fusing will help some things. But I don't think it's quick enough to have helped in this case. I've been looking at the R/C stuff you mentioned, and am considering rebuilding my battery pack to take advantage of it. (I'm thinking about building another electric skateboard and using R/C parts for that too.)

Separating batteries into 6 or 8 cell modules might have a number of advantages. Even beyond the availability of cheap off-the-shelf chargers, analysers, balancers, LVCs, etc. The ability to compartmentalize failures has an attraction. Lose some cells and still be able to ride home, etc. LIPOs could be divided into separate fire-proof pouches ...

Mahalo for everyone's input. Great stuff! Keep the rubber side down!

Richard

 

[John in CR]

RF,

I think you should stay away from RC lipo until you get your bike a lot safer first. It sounds like a good start would be a new controller.

 

[teklektik]

Based on this:

The CA is standard setup as it came from ebikes.ca a few years back. The controller was modified by them, but with no special requests. It worked fine last time I tried it.

All of this:

Most likely the Cycle Analyst crashed while the system was at full throttle. It stayed at full throttle with no brains to impose limits. So I stopped riding it to work.

It took the full override of limits provided by the Cycle Analyst to allow the controller to put FULL power to the wheel. When the CA is awake it imposes stern limits on power. When it crashes you're stuck in whatever condition it was in before it lost it's mind!

The CA is a very nice tool. But a dangerous and poorly thought out one.

has absolutely no basis in fact. The CA doesn't work this way and the failure mode you have ascribed to the CA simply cannot occur. It is electrically impossible for the CA in the stock configuration to source voltage to drive the throttle, it can only sink current to limit the voltage applied by the operator throttle (hence the terminology: 'limiting'). Only the operator throttle drives the controller, the CA cannot. The fundamental electrical design of the controller interface makes the CA intrinsically safe regardless of any potential firmware or processor failures.

Which leaves:
Runaway throttles occur without a CA, typically because of a broken ground connection due either to a faulty connection, broken wire, or internal throttle failure. This can also occur because of water in the throttle. These sorts of mechanical failures have a comparatively high probability.

Simpler, well-designed analog controllers should be relatively safe. Although I hate to part with it, the Cycle Analyst should probably be removed. It makes things a bit too unpredictable and dangerous. Too bad they didn't stick to data gathering. Giving it the ability to set things like top speed is what went too far.

'it' simply doesn't have the ability to 'set things like top speed' - it can only ensure the operator doesn't exceed such limits. You seem to have a fundamental misunderstanding of how the CA works. If you honestly feel there is basis for your speculation, you should contact Justin and express your concerns - he is unquestionably the single most well-respected member of Endless-Sphere (not to mention, the owner) and will certainly take the time to address your questions.

It was my fault. It had no kill switch.

Enough said.

 

[rf]

RF,

I think you should stay away from RC lipo until you get your bike a lot safer first. It sounds like a good start would be a new controller.

Thanks. I've no intention of using LIPO on a bike. On a skateboard, maybe.

 

[NeilP]

Thanks. I've no intention of using LIPO on a bike. On a skateboard, maybe.

Don't let the anti LiPo brigade scare you, over 7000 miles now, 400 plus cycles, on a 20s4p pack (84volt 20Ah) no issues at all. My GF's bike now has 1800 miles on it, 50 plus re-charge cycles, on a 12s 2p pack (50 volt 10 Ah). Built up in to an alloy box screwed down, and balanced charged..cycled a few times & balanced checked. Run for a few weeks and balanced checked..all OK..Been checked maybe twice more since then in over a year..good every time..Never re balanced charged. Build up a pack, follow the rules, and there is no issue with them. My equilavent pack in LiFePO4 is almost twice the weight (in Headway cells)

 

[NeilP]

Most likely the Cycle Analyst crashed while the system was at full throttle. It stayed at full throttle with no brains to impose limits. So I stopped riding it to work.

It took the full override of limits provided by the Cycle Analyst to allow the controller to put FULL power to the wheel. When the CA is awake it imposes stern limits on power. When it crashes you're stuck in whatever condition it was in before it lost it's mind!

The CA is a very nice tool. But a dangerous and poorly thought out one.

has absolutely no basis in fact. The CA doesn't work this way and the failure mode you have ascribed to the CA simply cannot occur. It is electrically impossible for the CA in the stock configuration to source voltage to drive the throttle, it can only sink current to limit the voltage applied by the operator throttle (hence the terminology: 'limiting'). Only the operator throttle drives the controller, the CA cannot. The fundamental electrical design of the controller interface makes the CA intrinsically safe regardless of any potential firmware or processor failures.

Which leaves:
Runaway throttles occur without a CA, typically because of a broken ground connection due either to a faulty connection, broken wire, or internal throttle failure. This can also occur because of water in the throttle. These sorts of mechanical failures have a comparatively high probability.

Simpler, well-designed analog controllers should be relatively safe. Although I hate to part with it, the Cycle Analyst should probably be removed. It makes things a bit too unpredictable and dangerous. Too bad they didn't stick to data gathering. Giving it the ability to set things like top speed is what went too far.

'it' simply doesn't have the ability to 'set things like top speed' - it can only ensure the operator doesn't exceed such limits. You seem to have a fundamental misunderstanding of how the CA works.

Sounds like there is a mis understanding going on here and I think rf put it in a way that makes it sound like the CA put voltage on to the controller.

Here is how I see it.
If the controller is set up for very high speeds and power settings, like 120% and 100 amp battery 300 phase, the CA IS setting upper power limits. As soon as the CA crashes/wire breaks / becomes unplugged, what ever, then the controller is left to go back to its native settings..IE max power.
By the sound of it, this is what has happened, and rf is wrongly assigning blame to the CA, possibly because of

fundamental misunderstanding of how the CA works.

\RF...see the last page of the manual to disconnect the throttle override function.
http://www.ebikes.ca/drainbrain/CA_Large_V223_Web.pdf

have you got a USB program cable and software for your controller? that would be the next step

 

[rf]

Thanks teklektik,

I think Justin is a good guy, too. And I can't be certain of the core cause of my incident. It's not repeatable -- I hope.

I always felt the control the CA imposed by messing with the throttle signal was a little hokey. It was the only way to do it from the CA and keep it in one neat package. But it's messy. Your post suggests that the throttle itself may have caused the problem. That same weak system that the CA uses to moderate top speed.

So the throttle cabling is cheap and funky. Agreed. Need to fix that.

You said that the CA doesn't have the ability to set things like top speed. But that's exactly what it does. You go through the setup on the CA and tell it what to set the top speed to and it does it! At least when it works. Doing that from a separate, microprocessor controlled box, on the other end of the bike from the main controller, over crappy signal and power lines is a questionable thing to do. In my opinion.

Top speed limiting should probably not be trusted to a single microprocessor in an active feedback loop. An analog circuit within the controller would be much safer. The CA setup is reminiscient of the bread machine with its runaway heater, threatening to burn down the house. You can't trust a single running microprocessor to set limits when life and limb are at stake. What happens when it crashes?

I take your points to heart. I don't know what caused my accident. All I can do now is look carefully at everything and make things as solid as possible. The CA has been a good friend for a lot of miles. But it's ability to fiddle with the throttle has got to go! It's clearly the wrong place to put the low-voltage cutoff too. In my opinion. These are cool features that are nice to have. But they're important features that need to be made more foolproof.

Ebikes are still kind of hokey in general. Fechter isn't done refining the electronics.

Every piece of the system needs to be reviewed again and again for safety. What happens when the cable to the throttle or the ebrake is broken? The bike should refuse to run. Period. Things like that. There are more of them than you think. The life you save may be your own.

Thanks for listening, and for you insights.

Richard

 

[NeilP]

You still have not said if you have the ability to program your controller. You should be setting your max levels on that first

 

[bose]

Richard is correct in every matter. Redundancy of some sort is really needed on ebikes. The low quality throttles from china are probably ment to be used on a low power system that won't bust your head if going amok.
If using thumb throttle, one could add a simple momentary switch to the trigger itself running an extra wire down to the e-brake cutoff on the controller. This gives some sort of redundancy at least, the controller won't run until the switch is pressed AND the there is a throttle signal above 0%.

The MOSFET "contactors" that a few people are working on here should not be used as a safety cutoff. If an over current situation occurs in one of the mosfets (could be because of manufacturing fault in the die itself) it is highly possible that this MOSFET will close the circuit, not open it as many might think. I.e. at a failure the MOSFET "contactor" will weld itself shut and continue to supply current to the system.
But as a on/off control and precharge circuit it is a very good solution. Except that the on/off could be made with the controller on/off wires instead.

This being said, I am stupid and I don't even have a fuse on my battery leads that are totally enclosed in a bag while riding. My setup could probably be used as an example of how Not to do it.

 

[NeilP]

This being said, I am stupid and I don't even have a fuse on my battery leads that are totally enclosed in a bag while riding. My setup could probably be used as an example of how Not to do it.

Fuse..what is one of those again? Originally had one on my bike but could not find a fuse holder that would not melt or saw of a suitable physical size to fit the area I have available in the battery box.
I do have an on/off switch on the cross bar for the controller ignition, but would take a guess that I could not reach it if the bike was in 'run away mode as I would be hanging on to the bars to tight.

Good point made about the MOSFET breaker system, but how I am hoping to implement Fechters Version 3 schematic, I will be 'testing' it each time the battery is re connected.

So yes it is possible for multiple failures to occur simultaneous, but we can't plan for every eventuality and having a system in place (mosfet breaker) is better than none at all...You are at least giving your self a chance of shutting the bike down on a runaway situation. OK...a runaway situation where the controller instantly takes maximum current is also likely the time when the MOSFET will fail since it has suddenly been asked to pass massive currents.
I was planning my use of the MOSFET system as an 'auto pre charge' device..and the shut down is just an added bonus...if I can get it to shut down quick enough..but at the moment the capacitor charge for the precharge RC constant 'timer' also works in reverse when asking for shutdown

 

[NeilP]

Guess I spoke too soon.

I just built a 5 FET 4110 'switch'...shorted one of the FETs to a short / always on within minutes of putting it on the bike...That is half a day plus the price of mosfets wasted..I am going back to a precharge resistor, and no kill switch..just the e-brake

 

[John in CR]

Guess I spoke too soon.

I just built a 5 FET 4110 'switch'...shorted one of the FETs to a short / always on within minutes of putting it on the bike...That is half a day plus the price of mosfets wasted..I am going back to a precharge resistor, and no kill switch..just the e-brake

Imagine how many more planes would crash if the gas tanks were removed after every flight? That's what you guys are doing with these battery packs that require pre-charge resistors. Mount your batteries properly on your bike and leave them there.

Also, why on earth would you go with just an ebrake as your only safety? A switch within reach (not on the bars) is too easy not to do. Plus people get a kick out of seeing that a key is required, and keyswitches come with decently heavy duty wires.

John

 

[NeilP]

Mount your batteries properly on your bike and leave them there.

And carry the whole MTB up three flights of stairs, you gotta be kidding...or leave the lipo pack to bulk charge un attended in a public stairwell. For some of us that have to live in apartments, removing the batteries is the ONLY solution

Also, why on earth would you go with just an ebrake as your only safety? A switch within reach (not on the bars) is too easy not to do. Plus people get a kick out of seeing that a key is required, and keyswitches come with decently heavy duty wires.

John

Because the subject has never come up before that I have seen, it certainly never seems to get mentioned to newbies when they are building up a bike. I had never even though of failures that leave the bike in a FULL power on situation before.
I have an ignition switch about two inches off the headstock, along the top cross bar, but as I sadi before, if there was ever a full power on failure, I would not be able to take my hands off the bars to switch it off.

The only way is a Full kill switch on the bars where you can hit it with your thumb, like on a motorcycle. but how to do that I do not know.

 

[999zip999]

I'm going to put a lanyard on the pos. 5mm. bullet connection to the handle bars. Just thinking on a how the make the handle for the dead man's grab ? So what would your thing be ? What's the first thing you would like to grab for at high speed runaway ?
I was thinking "A Pair" at the end of the rope, but big and in the way. Got to get this right. What's on the end of your rope ?

 

[teklektik]

The only way is a Full kill switch on the bars where you can hit it with your thumb, like on a motorcycle. but how to do that I do not know.

Kill switch for Magura: A tiny bracket is fabbed from a bit of 1/8" aluminum angle that mounts on existing Magura assembly screws. Position toggle so it can be swept clockwise at ZERO throttle with the thumb as a continuation of the normal close-throttle motion. As you and John suggested earlier, hook to controller 'ignition wires'. I use wire that is sized for handling and robustness above the minimum gauge required electrically and sheath exposed wires in plastic cable braid. Wiring is tie-wrapped to the bars and stem to avoid snags and makes a full turn around the head tube before being attached to the frame. This distributes flex over the length of the wire that wraps the head tube when the bars are turned - no localized high stress point.

 

[el_walto]

Full Throttle will jam on if your cycle analyst has an amp limit set and your controller has auto cruise and you are going up a hill. I had it happen multiple times. Once auto cruise kicks in on the controller, Your 20amp limited controller will now be pulling 40 amps and your throttle will be completely unresponsive, and if your lucky like me, your 30amp fuse will blow.

 

[NeilP]

That is nicely made.

When I said but how to do that I do not know. I was meaning i did not know an easy way to cut the main power supply as opposed to just shut down via the ignition.
There are all sorts of contactors / relay systems , the MOSFET swithes that we have discussed on other threads. But so far the ones I have seen are all limited in some way or another...plus it is yet another failure point(s) yet more junctions between battery and controller and more kit to find a place to fit to the bike.
I built up a 5 MOSFET switch yesterday, but within a few minutes of using it, one of the FET's shorted in the 'ON' position.

SO as far as I am concerned, MOSFET switches are out (for now till a suitable circuit is worked out) , big contactors are out,( I don't have space in the battery box), cutting just the ignition wire is not really what we ( I ) am trying to achieve. An internal short (loose bit of solder..etc inside the controller, could short the ignition wire toi battery positive, and still leave the power on even if killing from the ignition wire.

If we are going for an all fault encompassing solution for a power kill switch, it has to be disconnecting battery from controller..but not with relays, or MOSFETs...so what I was meaning was I did not know how to achieve that

 

[John in CR]

Neil,

It sounds like you need an ebike that can take the stairs. I still don't get this idea that it's ok for motor, controller, CA and anything else to stay on the bike, but the most dangerous thing to take of is the one thing you feel compelled to take off.

The reason something on the bars isn't a good answer is because whatever kills your ebrake is just as like to clip all the or any of the other wires too. I'd suggest practicing the one hand on the bar and other reaching to turn off the key. If you can fly a plane I have confidence in you that you can ride a bicycle one handed for a fraction of a second. :lol:

Oh, how's this as an example for you of ways a WOT failure can occur.
1. Something comes loose in the throttle or you turn it to WOT and the plastic stop breaks, magnet comes loose, or whatever and the mechanism is stuck WOT.
2. Most of the cheap Chinese controllers don't have a kill on a high throttle, and what that means is that a short of the +5V and the throttle sense wire anywhere along the length can send +5V up the throttle sense and give you WOT. Professional controller have a high throttle kill, so when you turn the key on it can't be immediately WOT, and valid throttle signals are only up to 4.8V or so, making a short in the throttle wire shut down since the +5V isn't a valid signal.

John

 

[teklektik]

Full Throttle will jam on if your cycle analyst has an amp limit set and your controller has auto cruise and you are going up a hill. I had it happen multiple times. Once auto cruise kicks in on the controller, Your 20amp limited controller will now be pulling 40 amps and your throttle will be completely unresponsive, and if your lucky like me, your 30amp fuse will blow.

Let's be clear - the CA did not apply Full Throttle - that is electrically impossible. Autocruise applied the throttle and the CA could not prevent it.

I think you will find that what happened is that autocruise cranked up the amps to keep up speed climbing the hill. The CA is not aware there is an autocruise but sees the high current and continues limiting the operator throttle all the way to zero in an attempt to get the high current under control. Of course, it is autocruise not the operator throttle that is causing the huge current draw, so the CA's efforts come to naught. With the operator throttle input line grounded by the futile efforts of the CA, the throttle becomes unresponsive.

In short - engaging autocruise completely circumvents the CA current control mechanism so that it cannot possibly limit the current to 20A. That's CA 101. The operator throttle becoming inoperative is evidence that the CA is actually working properly and attempting to limit the current.

There are ways avoid losing throttle control in these situations, but there is no means to have the CA do current limiting if the controller itself (not the operator) is manipulating motor power.

The CA V3 has a built-in autocruise so the V3 can work autocruise and limiting all at once...

 

[teklektik]

When I said but how to do that I do not know. I was meaning i did not know an easy way to cut the main power supply as opposed to just shut down via the ignition.

Oops! Sorry about that little misunderstanding - just a little unnecessary photo clutter I guess... :wink:

... cutting just the ignition wire is not really what we ( I ) am trying to achieve. An internal short (loose bit of solder..etc inside the controller, could short the ignition wire to battery positive, and still leave the power on even if killing from the ignition wire.

Seriously - you are talking about simultaneous critical failures - (1) the Bad Thing that is causing you to hit the Kill Switch and (2) the coincidental failure of the Kill switch itself. It's not enough that something can happen, you have to look at the probability of it happening and double failures are getting into possibilities that are remarkably remote. Of course, there are always brakes as a fallback. (In this failure mode the controller is running so ebrakes would also work - if you have them).

This is not to say that contactors and The Big Cutoff would not offer blanket protection, but it's just one of several solutions. As you have mentioned, it is challenging to implement because of cost, space, and technical considerations. In a racing or high-powered vehicle environment, the parameters of the problem change in favor of that approach (or the device is mandated by regulation), but here, it really doesn't look like an attractive technical solution. Going after similar functionality with a combination of ignition switch and main disconnect appears to cover the most prevalent failure modes for modest cost and with excellent reliability.

• I personally use the kill switch above in addition to a magnetic marine breaker to serve as a main disconnect and offer protection for controller and harness problems. The breaker trips faster than a fuse and has a 7500A interrupt rating - essentially indestructible. Near the controllers I have a simple key switch in series with the kill switch for lockup when needed. This mix was reasonably priced, very reliable, and covered all the failure scenarios that concerned me.
  
  I also like the ignition switch because of other uses - it allows my lights, horn, and CA to continue working with the controllers disabled. For instance, it ensures that with a shorted controller I can limp home safely with the lighting operational.

Wiring failures have been called out as a problem area more than once in this thread. Although true, that doesn't mean that wiring should be avoided or that using it is poor design. Attention to wiring practices is all that's required. I put wiring details in the post above about the kill switch to show how the reliability could be easily improved - even for components mounted on the bars.

In this case I think the best plan is to take the easy road: install main disconnect and ignition Kill Switches to address the vast majority meaningful failure scenarios and leave the highly improbable few to Plain Old Brakes. Then have a beer because you did a Good Job.

 

[NeilP]

Neil,

It sounds like you need an ebike that can take the stairs. I still don't get this idea that it's ok for motor, controller, CA and anything else to stay on the bike, but the most dangerous thing to take of is the one thing you feel compelled to take off.

It is not that I feel compelled to take them off, I HAVE TO..there is not any other way to charge them at home. I don not need to remove the other components as I do nto need towork on them at home and there is no danger of them getting stolen or suddenly going up in ball of flames.
I have to charge them at home and if I have to do that, I want to do it where I can keep them in sight at all times. Bulk charging them in a communal area where I can't see them 100% of the time is not a good idea.
I have to get to work for emergency callouts ( I fly the local air ambulance), so the bike has to be at home, unlike my girlfriends bike. I could have built the pack on mine permanently , like hers but I woudl have to charge it in the communal stairwell. Her pack stays on the bike and she charges it at the farm workshop, then walks the half mile home. for me that is not an option...I take the bike to work rather than a car as it is quicker from home to airport onthe e-bike than it ever is in the car

 

[bartholer]

Here's a stupid question. If I wire a kill switch between the thin red power wire coming out of my controller and then Run the other side to battery positive then isn't that going to mean running 48 volts through the kill switch? I want a kill switch for sure after my last crash and I like the lanyard design ones on eBay but even motorbike kill switches are only 12v. I m sure I m missing something simple here.

 

[teklektik]

Here's a stupid question. If I wire a kill switch between the thin red power wire coming out of my controller and then Run the other side to battery positive then isn't that going to mean running 48 volts through the kill switch? I want a kill switch for sure after my last crash and I like the lanyard design ones on eBay but even motorbike kill switches are only 12v. I m sure I m missing something simple here.

Well - the simple explanation is the right one: motorcycles use 12v so the switch is 12v while your bike uses 48v so the switch will carry 48v. There's really nothing going on here beyond simple technical convenience.

You will be way overspec on your 12v lanyard kill switch voltage rating , but the current is limited to be very low and contact arcing will not be an issue. You will have no difficulties with what you have proposed. As mentioned in an earlier post here, you might like to run heavier and more robust wiring to the kill switch than the delicate high gauge wire that comes from the controller.

 

[bowlofsalad]

I haven't taken the time to read out this entire thread, but I was talking with someone today who said he had his own version of a kill switch that sounded like all pros and no cons if implemented correctly. This seems likely it would work best with the battery pack in a triangle between your legs, but it can be done other ways I am sure. Anyway, the idea is a connecter attached to the pole between your legs, you can give it a good yank and it'll come apart, cutting power to the controller. I like this idea as it's very simple and likely fool proof. I was asking him what he did for ebrakes if he didn't have ebrake levers, seems pretty wise.

The connecters orientation or position it faces would have to be setup so it would be in the direction your arm pulled.