Power On (Aux Bat Switch)
- Driver switches car on, closes connection between aux battery and Chaos
- Chaos turns Plutus on
- If no faults are detected by Plutus, battery relay and solar relay closes
- Chaos checks if DC-DC is functional, if so, switch power to DC-DC. This will also power all other LV components of the vehicle. If not, Chaos will go into a fault state, possible DC-DC failure
- Chaos will initiate pre-charge, and wait for the main relays to close via the sense wires
- If main relay closes, car is now ready to drive. If either doesn't, Chaos goes into another fault state, possible pre-charge or relay failure
Power On (Constantly On)
...
State
...
Systems Powered
...
Powered From
...
Aux battery
By default, we are in the off state. In this state, only the bare minimum of systems are active. Only the auxiliary battery is connected, and we wait until the car is turned on by the driver. Chaos receives a CAN message from driver controls when this occurs.
When the car is turned on, we enter the startup state. In order to do so, we must active our HV systems in a specific order to safely distribute HV power. Assuming the BMS is active and the battery is okay, we first enable the battery relay to connect the battery pack to the main HV circuit, switching LV power over to the DC-DC. Then, we enable the solar relay to connect the MPPTs to the main HV circuit and then enable them. This step is necessary to prevent damage to the MPPTs, as they should always be connected to the pack when enabled. Finally, we power the motor LV system to precharge and power the motor controllers. We are now active.
When the driver turns off the car, we receive a CAN message and enter the shutdown state. We disconnect the motor LV system, disable the MPPTs, open the solar relay, and open the battery relay. This is just startup in reverse.
If the charging state is requested, we enable the battery relay, solar relay, and MPPTs. Then, we wait until a full charge has occurred using the SOC packet from our BMS and disable our MPPTs and solar relay.
If a fault occurs, we follow the shutdown control flow to disable HV power within the car. We then require a manual reset to re-energize the system.
Power Off
- Driver switches car off
- Chaos turns Pre-Charge off, main relays open and vehicle goes into discharge. If the main relays fail to open, a relay fault will be raised
- Chaos opens the solar relay, and battery relay
- Chaos and Plutus is now powered by the aux battery
- The vehicle is now off
- The aux battery can be disconnected through another switch
- If kill switch is hit at any point, chaos will open all relays. Since the DC-DC is now off, pre-charge will open the main relays.
Warnings to Driver:
...
The power distribution system controls both LV and HV systems through the use of multiple LV power rails, some of which are considered protected. This means that they are powered by a supplemental battery, allowing system operation during a fault. This page covers how we handle the supplemental LV battery that powers those protected systems.
Supplemental Battery
By ASC regulations, we're allowed a single supplemental LV battery. Its use is very limited, and we're limited to non-lithium chemistries. We also need to have passive monitoring at a minimum, but a BMS would be ideal. Thus, we need to choose a chemistry and capacity that will safely handle the HV relay without being overly large and heavy. Our goal is to minimize the use of the supplemental battery other than initial connection of the HV battery relay and in fault scenarios.
In MSXI, we used a switch near the PJB that connected the supplemental battery as part of our power sequence. For MSXII, we have identified two strategies for managing the supplemental battery.
Strategy A
MSXII's firmware is designed to use an event-driven architecture, allowing the use of deep sleep modes. This allows us to sleep until an external event occurs, such as a button press or CAN message.
As a result, a possible strategy is to leave the supplemental battery permanently attached, especially since we're planning on attaching a small BMS to the power distribution board that can charge it during normal operation. When the car is off, most systems will be inactive and in a deep sleep state, so the average power consumption should be in the microamp range. This will keep all protected systems active. Thus, we can initiate the car's startup through the driver input board. Pressing the start button should wake up the driver input board, which then sends the power distribution board a CAN message to switch over to the DC-DC and begin the startup procedure. To recover the system in the case of a fault, pressing the start button again would reset the BMS.
This is similar to the approach we took in MSXI, although MSXI's implementation was much less granular and would drain the supplemental battery relatively quickly. Realistically, Chaos is the only board that truly requires an off state, as the other protected systems (Lights, Themis, Plutus) just delegate work to unprotected systems or react to events over CAN. Since it already requires active and fault states, the addition of an off state should not add too much extra work.
Strategy B
Using the start button as the physical connection between the supplemental battery and the power distribution board ensures that power will not be used unless the car is active or in a fault condition. The LV network would only ever be powered when the driver has pressed the start button, removing the need for an off state within the firmware of protected boards.
This strategy completely removes the need for an off state and ensures that the LV network will be inactive unless the driver has started the car. As a trade-off, it requires running another pair of wires up to the driver for the switch. It also requires modifying the fault logic of the supplemental BMS to differentiate between the disconnection of the supplemental battery to shut down the car and a low voltage fault.