Failsafe Control Methods for EVs with the Failsafe Structure Driven by Front and Rear Wheels Independently

This paper describes failsafe control methods for electric vehicles (EVs) with the failsafe structure in which front and rear wheels are driven independently. Based on failure-diagnosis results, the failsafe control is done by dividing fault states into two types, i.e. a slight failure such as a current or a speed sensor failure and a serious failure such as an inverter or a motor failure. For the latter, the EV keeps on driving with only the healthy drive system by separating the drive system including the failed inverter or motor. On the other hand, for the former, a fault tolerant control is performed that keeps on driving while compensating for the function of the failed sensors so that the drive performance before failure can be maintained as much as possible. Effectiveness of the proposed methods is verified through simulations and experiments using bench test equipment which is equivalent to the actual EV drive systems and a prototype EV.


INTRODUCTION
Studies of ECO vehicles have been undertaken to identify ways to mitigate global energy and environmental problems. Various types of vehicles not only electric vehicles (EVs) but also hybrid cars and fuel cell cars have been developed as a result. All of these are characterized by having motor drive systems which are mainly composed of inverters, motors and torque and current controllers. In order to secure the safety as vehicles, a protection technique to prevent drive systems from failing is required [1] [2]. However, it is hard to avoid sudden stops occurring when drive systems fail using only protected operations; EVs should have a failsafe structure [3]- [7] which can cope with various failures occurring during normal runs. Thus, failsafe control methods suitable for the EVs with the failsafe structure, which has been already developed by Mutoh, et al. [3] [7], are studied here. From the standpoint of safety, even if failure arises, since the methods must be able to avoid any sudden vehicle stops, the failsafe control having the function to continue running while maintaining the drive performance is needed. In order to enable it to shift to this control reliably, the fault diagnoses should always be done over the whole drive system including components such as motors and inverters [8] and speed and current sensors [8]- [10]. Furthermore, in order to avoid unexpected sudden stops due to failure, fault tolerant control is needed that can keep on running by dividing the failsafe failsafe drive states into slight and serious faults which are judged based on the failure diagnosis. That is, when serious faults appear in important units such as inverters and motors for generating driving torque, failsafe control is carried out which makes the EVs run with only the healthy drive system. On the other hand, when a slight failure such as a speed or current sensor failure occurs, a fault tolerant control is performed according to the failure states which makes the EVs run while compensating for the function of the failed sensors [11]. The effectiveness of the failsafe control methods including the fault tolerant function is verified through simulations and experiments using bench test apparatus and a prototype EV.

The Principal of Failsafe Control Methods
In order to make the EV drive systems into a failsafe structure, the front and real wheel drive systems need to operate completely independently of each other. To meet this failsafe requirement, as shown in Fig.1 (a), two sets of motors are separately arranged on the front and rear wheel sides [12]. With this structure, each motor can control driving torque and braking torque independently. Then an SM and an IM can be mounted on the front and rear wheel sides ( Fig. 1(b)), respectively, which brings about drive performance which cannot be obtained in conventional EVs [3]- [7]. For example, the EV can secure good steering ability at low speeds and stability at high speeds [8]. The most effective point is that it is possible to perform the failsafe control which complements the failed drive system by the healthy system based on the control system shown in Fig.3 in which control procedures shown in Fig.2 were incorporated. The failsafe control methods are characterized by always checking whether the failed states allow EVs to keep on driving further. In this case, the fault states are judged by detecting inverter input currents (battery output currents) for the front and rear wheel sides, the battery voltage, and the three phase current and speed sensors of motors for the front and rear wheel drives. When either an inverter or a motor have failed, the EV keeps on driving with the healthy drive system by separating the failed drive system. When sensors have failed, it is judged whether the fault states can be compensated. If impossible, the same measures as for the inverter fault are taken. If possible, the EV continues operating by performing the fault tolerant control while compensating for the function of the failed sensor using the following techniques.

Failsafe Control Methods When Current Sensors Fail
Here, from the viewpoint of protecting drivers and passengers from an electric shock, three current sensors are used so that the ground fault phenomenon occurring on the motor side can be detected. As the current sensors are generally composed of Hall effect devices, they have two kinds of current fault states, i.e. a state caused by the degradation of a Hall device in which the detected level drops below a normal value and a completely failed (phase interruption) state. If the former occurs, it will be difficult for EVs to control and generate the driving torque precisely according to the trod amount of the accelerator. In the latter, it will be completely impossible to control the driving torque. Then, both kinds of fault states should be detected. Moreover, it is very dangerous for EVs to stop suddenly due to failure because this may lead to traffic accidents. Thus, as long as two or more sensors do not fail simultaneously, EVs should keep on running by compensating for the function of the failed sensor using other normal sensors. This is the basic requirement    for realizing EVs with the ability to keep on driving even when a current sensor has failed as long as it does not result in the complete failure. Fig.4 shows the failsafe control procedures when current sensors failed.

Methods to Detect the Current Sensor Fault Using Hardware Techniques
There are three situations in current sensor faults, i.e. one-phase fault, two-phase fault and three-phase fault. The fault when the sensor of one phase fails is detected as follows. First, the three phase-currents I u , I v , I w detected through current sensors are converted to pulse signals: U, V, W through comparators and their logically inverted signals U, V, W which are changing according to the polarity of the detected currents. As shown in Fig.5, using D-type flip-flops, these faults can be detected by monitoring the signal change of each U, V, or W phase at the rising timing of one of two combined signals: (U, W), (V, U) and (W, V), respectively. Here, the reason for using two signals is to be able to detect the phase of the failed current sensor using a quickly detectable signal. This was verified through simulations shown in Fig.6. For example, when the current sensor of the U-phase fails, the U-phase fault is detected at the time t 1 when the signal V which is one of the above two combined signals (W, V) rises. Since only the sensor of one (U-) phase fails, the function of the failed current sensor is compensated for using two currents measured from the other two (V-and W-phase) normal sensors [11]. Then, in this fault state, according to the procedures shown in Fig.4, EVs can keep on going without any sudden stops.
Next, the two-phase fault when sensors of two phase currents fail is considered that occurs in the U-and V-phases, V-and W-phases, and W-and U-phases. These three kinds of two-phase faults are detected by judging from the logical level of the two-phase signals, (U, V), (V, W) and (W, U) at the rising timing when one of three combinations of two-signals (W, W), (U, U) and (V, V) is changed. For example, the U-and V-phase fault is judged by detecting the logical level of U-and V-signals at timing when W and W-signals are changed, respectively. Fig.7 shows structure of circuits to detect the two-phase fault. The effectiveness of the proposed two-phase fault method is confirmed from simulations of Fig.6 which detect the V-and W-phase fault occurring at time t 2 by judging the logical level of the W-phase signal at the time when the inverted signal V of the signal V rose.
Finally, the three-phase fault, i.e. the fault which occurs when all of the current sensors fail is easily detected by the circuits which are composed of R-F flip-flops (R-F-FFs). The three-phase fault is detected by judging states of the signals output from the terminal Q of all the R-S-FFs shown in Fig.8. In this case, it is judged as the three-phase fault when the level of all output signals is the 'H' level

A Method to Detect the Current Sensor Fault Using Software
Using hardware has a disadvantage that it is possible to detect current sensor faults only at the changing timing although the faults can be detected quickly and reliably. Thus, a method to detect the current sensor fault using software is also needed that has the ability to always presume failed states including the degradation of sensors. As indicated in Fig.4, it is first judged whether the sum of three phase currents, I u , I v , I w detected from current sensors satisfies (1).
Here, is permissible error when EVs are normally driven, a value which is almost zero. When not satisfying (1), i.e., when three-phase balance is no longer maintained between the three phase-currents measured, the current sensor may deteriorate or fail. In this case, however, the fault states when two or more current sensors have failed cannot be judged. Then, self-checking is done using self-currents I u ' , I v ' , I w ' , which are calculated from (2)-(4) using the actually measured currents (I v , I w ), (I w , I u ), (I u ,I w ) which are a combination of two phase currents except the self-current, respectively.
It is difficult to directly compare the calculated currents (I u ' , I v ' , I w ' ) and the measured currents (I u, I v , I w ) since they are alternating currents. Thus, the amount of the alternating currents is changed into the amount of the direct currents using (5). This conversion always needs three phase-currents since they are not in the balanced states. Generally, when there is no failure in current sensors, the magnetizing and torque components, I d (n) and I q (n), which are converted using the measured currents (I u, I v , I w ) are in agreement with their references I d * (n) and I q * (n) with operations of the current regulators as long as I q * (n) does not change. Thus, three combinations (I d1 (n), I q1 (n)), (I d2 (n), I q2 (n)) and (I d3 (n), I q3 (n)) are calculated using (5) that correspond to the three current combinations: (I u ' (n), I v (n), I w (n)), (I u (n), I v ' (n), I w (n)) and (I u (n), I v (n), I w ' (n)), respectively. Next, when the drive systems are in steady states, the torque current reference I q * (n) at time n is compared with I q1 (n), I q2 (n) and I q3 (n) obtained through these calculations based on (6).
Here, an error is a value determined from the control limit of the torque controller when the current sensors deteriorated. In this paper, 30% is set as this value. While the drive systems do not lie in steady states, the fault situations are judged with the hardware described above. For example, when only the U-phase sensor has failed, the U-phase fault is judged from the calculated torque currents I q2 (n) and I q3 (n). As they include the current measured by the failed U-phase current sensor, the error of (6) will become larger than the permitted value . Then, the failsafe drive is performed using the correctly detected current I q1 (n). When all the calculated currents I q1 (n), I q2 (n) and I q3 (n) do not satisfy (6), failure of two or more current sensors is judged and then the drive systems are switched to only the normal drive system.

FAILSAFE CONTROL METHODS WHEN SPEED SENSORS FAIL
Faults of speed sensors are another sensor fault which strongly affects EV driver systems. From an economic viewpoint, an optical rotary encoder is used as a speed sensor. This speed sensor may fail during running due to degradation of the components which constitute the sensor or due to oscillations which are repeatedly applied to it. Thus, in order to prevent traffic accidents caused by unexpected sudden stops occurring due to failure, failsafe drives (fault tolerant control) based on the failure situations of the speed sensors are needed. The A-  mutual phase difference of 90 degrees, and the Z-phase signal indicating the criterion position of the magnetic pole in the SM are generated from the speed sensor. Then, according to Fig.9, failsafe drive is performed while judging the fault states. When the A-or B-phase signal fails, measures to keep on running without any sudden stops are performed while compensating for the failed signal with a normal signal. When both A-and B-phase signals and Z-phase signal fail, the failed driver system is separated and then the EV continues running with only the healthy drive system. Hereafter, methods to detect various kinds of failed states are described.

Failsafe Control Methods When Speed Sensors Fail
The speed sensor, i.e., the optical rotary encoder generates two phase A-and B-signals which have the phase difference of 90 degrees mutually. Then, a fault of each signal is detected by monitoring the level status, i.e., H(1)-level or L(0)-level at both rising and falling timings when the level of each signal changes. This is because the fault should be detected for two rotation states, i.e., the clockwise and counterclockwise rotations corresponding to two states in which vehicles move forward and back. Here, when the A-and B-phase signals fails, they will become H-or L-level, as shown in Fig.11. Since the result of the fault judgment strongly affects operations of vehicles, this judgment should be doubly checked using another technique. Here, (7) is used as another judgment condition based on the fact that the speed difference during the measurement period becomes less than half the speed (n) obtained correctly at the former time n if either the A-or B-phase signal fails at time (n+1).

2 A Method to Detect A-and B-Phase Faults
The fault detection method just cited above assumes that the watching signal must be normal in order for the fault of the watched signal to be detected certainly. Thus, states in which two A-and B-phase signals failed simultaneously cannot be detected. In these situations, as the speed f or r of the front or rear wheel failed to be detected, it is given as zero. Using this fact, states when two phase-signals failed simultaneously can be detected. However, since these also include the state that the speed becomes zero at the time of wheel locks, this state should be separated using the following technique. Since the wheel locks occur when braking operations are performed due to load movement, the state is detected by estimating the slip ratios S bf , S br for the front and rear wheels which are given by (8) and (9).
That is, if at least one of the wheel speeds, R f or R r becomes zero when the slip ratio increases to nearly one at the time of braking, it is judged that the speed is zero due to occurrence of wheel locks. Here, wheel locks can be controlled using the method [5] to properly distribute the braking torque to the front and rear wheels according to the estimated load movement; this is possible only for the EV with the structural feature shown in Fig. 1. If the detected wheel speed becomes zero when the slip ratio lies in the normal range between 0.1 and 0.3 [5], it is judged as the fault. Here, when the fault of the phase signal and wheel locks simultaneously occur, the fault is judged from the controllability of the slip ratio control [5]: where V is the car body speed estimated from an acceleration sensor and R is tire radius. In this case, integrating errors occurring when acquiring V are corrected by using the wheel speed obtained in synchronization with the A and B-phase signals generated from the rotary encoder as an offset value.

3 A Method to Detect Z-Phase Signal Fault
The Z-phase signal is generated from the optical rotary encoder every one revolution. The optical rotary encoder is generally set on the motor shaft (rotor) of the SM so that the timing when the Z-phase signal is generated agrees with the position of the magnetic pole in the rotor of the SM. Thus, the position of the magnetic pole can be recognized by detecting the Z-phase signal. The rotating angle of the rotor while the SM makes one revolution is gotten by using a counter to count the number of A-and B-phase signals generated from the optical rotary encoder while the Z-phase signal is generated. That is, the period that the Z-phase signal is generated corresponds to the value when the counter reaches 2 . Thus, the fault of the Z-phase signal is judged by whether the value (n) counted by the counter satisfies (10).

A Method to Compensate for the Failed Phase Signal
When either the A-or B-phase signal fails, the compensated phase signal is reproduced based on the normal phase signal. Fig.12 shows a compensation method to reproduce a phase signal with the phase difference of the half period of the normal phase signal. In this case, this period T is determined so that the phase difference between the normal and reproduced phase signals exists even when arriving at the maximum speed and it is judged from the position (forward or reverse) of the shift lever whether the phase between the normal and reproduced phase signal is delayed. On the other hand, when all A-and B-phase signals and Z-phase signal have failed, EVs keep on driving by separating the fault from the drive systems and using only the normal drive system.

VERIFICATION OF THE PROPOSED METHODS USING THE PROTOTYPE EV
First, experiments are used to study whether the methods proposed in Sec.2.1.2 allow a failed current sensor to be compensated for using other normal sensors. Degradation of current sensors is a common failure. It is judged here to be a current fault by detecting a 30% reduction of the detected current signal level. Fig. 13 shows the proposed failsafe drive when the U-phase current sensor of the front wheel drive system fails first at time t=t 1 , and next, the W-phase current sensor of the same drive system fails at time t=t 2 . In the first fault, the experimental result shows that the failed U-phase current sensor is completely compensated for using the other two current sensors. Then, even if the U-phase sensor failed, the front drive system including the failed current sensor is properly operated until the time t 1 , judging from the produced front torque. However, after detecting the fault of the other W-phase sensor at time t 2 , the failed front drive system is separated from the EV drive systems because the failed current sensors cannot be compensated for using only the normal V-phase current. This is confirmed from the fact that not only the torque currents I q1 and I q2 of the failed phase currents but also the torque current I q3 of the normal phase current become zero. After separating the failed system, Fig. 13 shows that the prototype EV can continue running using only the normal rear drive system. Next, the failsafe effects when the speed sensors fail are verified. Fig.14 shows failsafe drive when the speed sensor which generates the A-phase signal fails at time t=t 1 . Even if the fault of A-phase occurred at time t=t 2 , the failed A-phase signal is quickly compensated by the normal B-phase at time t=t 2 and then the signal equivalent to the failed A-phase one is regenerated. As a result, both the front and rear wheel drive systems are normally operated using the reproduced signal and then the EV keeps on driving without any stops. However, when all A-and B-phase signals and the Z-phase signal have failed, the failed drive system is immediately   When two or more current sensors fail or when all A-and B-phase signals and the Z-phase signal fail, the failed drive system is immediately separated from the EV drive systems and the EV can continue running using only the normal drive system without any sudden stops. The failsafe drive performance of this case is confirmed through various experiments as shown in Figs. 17 and 18, and Figs. 19, and 20 when failing on the front or rear drive system side while going straight and cornering using the prototype EV, respectively. Here, it is checked through experiments that yaw rate and lateral acceleration when generated at the time of cornering are almost the same as that of normal drives. This excellent safety can be obtained only by the EV proposed here which has the failsafe structure.

CONCLUSION
This paper described the failsafe control methods suitable for the EV with the structure driven by the front and rear wheels independently. The proposed failsafe control methods: (1) compensated for the function lost due to failure using the healthy parts; (2) avoided loss of driving performance when partial failure occurs; and (3) avoided unexpected sudden stops when complete failure occurs. When completely failed, the failed drive system was separated from the EV drive systems, the EV continues running with only the healthy front or rear wheel drive system by making full use of the failsafe structure. Effectiveness of the proposed methods was verified through various experiments using the prototype EV.