Skip to main content
Version: 1.0.0

Safety

Lynx incorporates several functions for achieving higher safety.

Disarming block

In-built safety system. It can check several inputs and based on its values, the throttle signal path can be disabled (before entering the driver) together with the cruise function. This ensures that the motor will not accelerate from the throttle path and cruise is deactivated if there is a safety risk. The overall structure is shown in the picture below.

disarming.jpg

There are several sources, considered as potential safety risk initiators. These are divided into categories stated below

Faulty component:

  • Driver in error
  • I/O block in error
  • BMS in error
  • Throttle signal is Not a Number (NaN)
  • Braking signal is Not a Number (NaN)

Not a Number is evaluated in the particular ASC block - the signal is outside absmin and absmax region

Danger state:

  • BMS is in charging mode
  • Safety switch signal
  • Active brake and accelerate signal at one moment
  • System in the safety map (map0)

Danger transition:

  • Change to the reverse map

If any of these inputs is valid, then the disarming block can reacts in several ways:

  • Temporary disarming - The most common type of reaction, acceleration (adn cruise) is disabled until the source of its activation is gone (e.g. driver error or BMS in charging mode)
  • Permanent disarming - Special case, acceleration is disabled until the activation criteria is gone and controller is restarted
  • Transition disarming - Event driven reaction, the acceleration is disabled for the transition time period (e.g. transition to the reverse map)

Reaction of majority of these inputs is hardcoded, but there is also option for parametrization of disarming block by parameters safetyopts and drvopts.

Status of disarming block can be checked in state variable armed_state