4.23. Interlock

4.23.1. Module Files

4.23.1.1. Driver

  • src/app/driver/interlock/interlock.c (API, source)

  • src/app/driver/interlock/interlock.h (API, source)

4.23.1.2. Configuration

  • src/app/driver/config/interlock_cfg.c (API, source)

  • src/app/driver/config/interlock_cfg.h (API, source)

4.23.1.3. Unit Test

  • tests/unit/app/driver/interlock/test_interlock.c (API, source)

4.23.2. Description

# Copyright (c) 2010 - 2021, Fraunhofer-Gesellschaft zur Foerderung der angewandten Forschung e.V.
# All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
#    list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
#    this list of conditions and the following disclaimer in the documentation
#    and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its
#    contributors may be used to endorse or promote products derived from
#    this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
# We kindly request you to use one or more of the following phrases to refer to
# foxBMS in your hardware, software, documentation or advertising materials:
#
# - "This product uses parts of foxBMS®"
# - "This product includes parts of foxBMS®"
# - "This product is derived from foxBMS®"

graph interlock_schematic {
    subgraph cluster_main {
        label="main interlock circuit";

        node [shape=rectangle,group=1]
            nd_static_supply
            nd_interlock_high
            nd_interlock_low
            nd_low_side_regulation
            nd_system_ground;
        node [shape=plain,group=1]
            nd_low_side_cs
            nd_low_side_threshold_cs;

        nd_static_supply            [label="static low-power supply"];
        nd_interlock_high           [label="interlock connector high"];
        nd_interlock_low            [label="interlock connector low"];
        nd_low_side_cs              [label="low-side current sense (100mA = 4V)"];
        nd_low_side_regulation      [label="low-side current regulation (to 50mA)"];
        nd_low_side_threshold_cs    [label="low-side current threshold (low = current above 10mA)"];
        nd_system_ground            [label="system ground"];

        edge[color=blue]
        nd_static_supply -- nd_interlock_high [style=bold];
        nd_interlock_high -- nd_interlock_low [style="bold,dashed",label="external connection"];
        nd_interlock_low -- nd_low_side_cs [style=bold];
        nd_low_side_cs -- nd_low_side_regulation [style=bold];
        nd_low_side_regulation -- nd_low_side_threshold_cs [style=bold];
        nd_low_side_threshold_cs -- nd_system_ground [style=bold];
    }

    node [shape=rectangle,group=2]
        nd_diagnostic_supply;
    node [shape=rectangle,group=3]
        nd_high_side_vs
        nd_low_side_vs;
    node [shape=plain,group=2]
        nd_high_side_cs;

    nd_diagnostic_supply        [label="diagnostic high-power supply"];
    nd_high_side_cs             [label="high-side current sense (133mA range)"];
    nd_high_side_vs             [label="high-side voltage sense (resistor divider 3k9/(5k6+3k9))"];
    nd_low_side_vs              [label="low-side voltage sense (resistor divider 3k9/(5k6+3k9))"];

    edge [color=orange]
    nd_diagnostic_supply -- nd_high_side_cs;
    nd_high_side_cs -- nd_interlock_high;
    nd_interlock_high -- nd_high_side_vs;
    nd_interlock_low -- nd_low_side_vs;
}

Fig. 4.5 Simplified schematic of the interlock circuit

The purpose of the interlock circuit is that the embedded software can recognize that an external safety circuit has been opened. This is achieved through a monitor current that is supplied to an external connector. The application expects that the rest of the safety system closes this path when it is working as expected. Typically, this is used with emergency stop switches or similar devices. A simplified schematic of the interlock circuit is shown in Fig. 4.5.

4.23.2.1. Circuit description

The interlock circuit consists of a main path that is continuously supplied by the static power supply of the foxBMS Master Unit. In Fig. 4.5 this is called static low-power supply. This supply does not have to be enabled and is powered by the 5V rail of the peripheral supply.

The interlock is closed through the connector that makes the external connection of interlock connector high with interlock connector low.

As a diagnostic measure, the low-side current sense allows to monitor the current on the low-side of the interlock connector. The monitoring circuit scales 0mA to 100mA from 0V to 4V with a linear relation.

For the case that additional diagnostic features are enabled, the low-side current regulation limits the low-side current to 50mA.

As a last point in the measurement chain, a low-side current threshold comparator circuit, pulls a pin low in the case that the threshold of 10mA interlock current is surpassed. This is the main detection method of detecting a closed interlock.

Additional diagnostic features consist of the voltage measurements of the high and low pins of the external interlock connector. Moreover, dedicated current measurements at the low- and high-side of the interlock connector increase the diagnostic possibilities.

The high-side voltage sense and the low-side voltage sense allow the measurement of the voltages of the respective interlock connector pins. Together with the low-side current sense circuit this allows an estimation of the resistance of the external part of the interlock. All voltages are measured using a resistor divider consisting of a 5k6 ohm and a 3k9 ohm resistor.

An additional switchable power supply imprints a higher current on the interlock path to increase the robustness of the interlock. This current can be measured using the high-side current sense measurement.

The measurements of voltage and current on both high-side and low-side can be used for checking the plausibility of measured values.

4.23.2.2. Software description

The interlock state is read via a feedback input pin. If this pin is low, then the interlock is closed. If the pin is high, the interlock is open.

The feedback is checked in the interlock state machine. It reports an error via the DIAG module if the interlock is open.

The interlock feedback can be deactivated via the define BS_IGNORE_INTERLOCK_FEEDBACK. If set to true, the feedback function will always return ILCK_SWITCH_ON.

In addition to the feedback pins, the ADC inputs of the MCU also monitor the voltages and currents described in the section Circuit description. Currently, these readings are only stored in the database (Section 4.7). They can be used for further diagnostics.