SUMMARY
This is a progress report on an "open" CAN bus wheelchair controller system that I've been working on. Luckily I am now retired so I am able to devote a lot of uninterrupted time to a project that is much more involved than anything I have done before, with the exception of my daughter Rachele's head switch and gaze operated multilingual communications/computer control system which only reached its current state after years of work.
Having been involved with wheelchair design for over 20 years, I am well aware of the safety issues involved; after all, a wheelchair user can not "bail out" if something goes awry. Indeed, creating a "bullet proof" system is a major part of the work involved. For a geneticist working on a project that really needs the skills of an ME, an EE and a programmer this is decidedly non-trivial.
One of the satisfying, and at the same time worrisome, aspects of this is that I learn something new just about every day. For example, common practice is to protect a semiconductor switching circuit from relay coil kickback by putting a reverse-biased diode across the coil. This indeed will protect the driver, and it is a good way to do things when dealing with signal-level relays (or AC relays in general), it is, however, a relay-killer if used on high current DC relays. I only discovered this when a footnote on a spec sheet led me to these Tyco application notes. If you are dealing with controlling more than mA currents, they are a must read.
http://relays.te.com/appnotes/app_pdfs/13c3311.pdf
http://relays.te.com/appnotes/app_pdfs/13c3264.pdf
So what's worrisome about learning all these new things? What's worrisome is the question: What other equally critical factors exist that I should know about that, because of my ignorance, I don't even realize that I should study?
In the end, I expect to need a lot of testing at high power in a high noise environment before the design is really "final". And that's a problem for me: pushing everything to its limits requires equipment, money and time I don't (and won't ever) have, and I've yet to decide what level of risk I'm willing to tolerate in a system that's not been "tested-to-destruction". Hence, in both the hardware and software I'm trying to use a "belt-and-suspenders", fail-safe and safe-fail, approach and that's why the more people who are willing to invest some time in double-checking and questioning what I've done the more comfortable I will feel.
At this point, I have a three-node net running at 1M bits per second without dropouts (compared to the usual WC controller rate of 100k bps or so). Transmission rate will be set lower on the chair after testing at 1M to give a nice safety margin. During testing, a PC will also be connected to the motor controller to start its script each time it's powered up. Once I'm sure that the script doesn't have any bad bugs, it can be set to autorun on startup. The PC will have NO role in actual operation - no PC operating system is to be trusted EVER with driving a wheelchair!
The full description of the project is far longer than the forum allows, so I've attached it as a pdf. There is also a zip file of the hardware (WC CAN circuits.zip) with schematic and pcb designs as pdf and DesignSpark files, and a zip file of the program files (WC CAN programs.zip).
PROJECT DESCRIPTION: HARDWARE
CAN nodes:
The system will have four CAN bus nodes, though more could be added if other functionality is needed:
(1) the MOTOR CONTROLLER node that handles the high current needs of the motors and some medium-current digital outputs. I am designing around the characteristics of the Roboteq HDC2450, but relatively little work would be needed to adapt this to other controllers. Some external hardware is also needed: high current safety disconnect relay, SPDT reed relay for power to the Roboteq's microprocessor, pre-charge resistor, regeneration bypass diode (in case the safety relay opens), voltage clamping on the motors (if not built in to the motors themselves), relays or semiconductor H-bridges for actuators etc.
(2) the MASTER node that collects information from an analog joystick and/or switches, and does the arithmetic and logic to turn that into CAN messages to the Roboteq for controlling the motors, brakes etc. Because the Roboteq does not treat CAN the same way as it treats analog, pulse or serial input, all of the calculations for scaling the joystick, setting dead band, implementing a speed pot (if desired), applying different degrees of exponential curving and so on must be done here. This is actually similar to Dynamic DX/DX2 systems in which the power module only has motor programming, and the master computer is in the remote. Of all the driving calculations needed, only mixing and motor compensation are handled in the Roboteq node. MASTER also traps errors, collects information from the Roboteq and Aux nodes, and sends this information on to the DISPLAY node. A toggle switch is used to go between joystick and switch input, and momentary contact switches are read to give forward, reverse, left, right, mode (driving, seat, lights), power On (or Wake)/Off, and STOP.
(3) the AUX node. Although the Roboteq has a number of 1A digital outputs, there are not actually enough to do everything one might want to do: separate left and right brakes, seat actuators (1, 2 or 3), lights. Moreover, I don't want to have separate On/Off switches for different modules so we need some way to control power to the Roboteq via the CAN bus. These functions will be handled by AUX node. AUX can also handle a shock sensor &/or other stability sensor (such as I now have on Rachi's chair), and speed slow-down &/or inhibit sensors on the seat actuators. (This is where one could add gyros, compass, even a full inertial navigation system if one wanted too - I don't, but a Nano has enough guts for all of this.)
(4) the DISPLAY node. This node receives messages from MASTER to display them on a small TFT screen and to log them on a micro SD card. Graphics will show which way to move the joystick for different seat movements or light settings, an indicator of whether in joystick or switch-driving mode, present voltage and Amp Hours consumed since last charge.
A jpg of my breadboard is attached; for design details see "WC CAN description a.pdf" and "WC CAN circuits.zip".
SOFTWARE
CAN protocol:
A standard CAN frame consists of an identifier (11 bits) and up to 8 bytes of data. The CAN standard includes a number of features, both in how things are coded and in the physical layer (CRC check, bit-stuffing timing check, repeated transmission until receipt is acknowledged) to make sure that messages arrive intact. Because a wheelchair is a life-critical device for a user who may not be able to "bail out" if things go awry, my programming adds a couple further layers of protection. My messages contain at most 4 bytes of data and the other space is used for the bit-wise complements of these. A receiving node first does the built-in CAN checks and filters for proper ID before putting it in a message buffer (the MC 2151 has two buffers with separate masking/filtering). My (AUX, DISPLAY or Roboteq script) program then compares the data and their complements to make sure that the information is correct and then sends a confirmation message back to MASTER. If the original message was an information request (e.g. battery amps), the confirmation is the requested information itself. If the original message was a control or configuration command (such as a motor command), the confirmation message is the same data (and complements thereof) with the ID changed to show that it is the confirmation. MASTER again does the data/complement check, traps any errors and does not proceed on unless a proper confirmation is received.
For more complete description of the protocol's design and the functions of each node, see "WC CAN description a.pdf" and for implementation see "WC CAN programs.zip".
If you want to see the details of how these things have been done, I'm afraid you'll have to study the schematics, pcbs and read through the code. I hope that at least some of you will. This is my first "deep" foray into embedded programming and I'm sure there are many improvements that can be made.
WC CAN description a.pdf (342 KB)
WC CAN circuits.zip (550 KB)
WC CAN programs.zip (37.9 KB)