ISSN 2032-6653

The World Electric Vehicle Association Journal, Vol. 1, 2007

Failsafe Control Methods for EVs with the Failsafe Structure

Driven by Front and Rear Wheels Independently

Nobuyoshi Mutoh*, Yoshiki Tomita**

This paper describes failsafe control methods for electric vehicles (EVs) with the failsafe structure in which front
and rear wheels are driven independently. Based on failure-diagnosis results, the failsafe control is done by dividing
fault states into two types, i.e. a slight failure such as a current or a speed sensor failure and a serious failure such as
an inverter or a motor failure. For the latter, the EV keeps on driving with only the healthy drive system by
separating the drive system including the failed inverter or motor. On the other hand, for the former, a fault tolerant
control is performed that keeps on driving while compensating for the function of the failed sensors so that the
drive performance before failure can be maintained as much as possible. Effectiveness of the proposed methods is
verified through simulations and experiments using bench test equipment which is equivalent to the actual EV drive
systems and a prototype EV.

Keywords: Battery Electric Vehicles, Hybrid Electric Vehicles, Torque Splitter, Electric Drive, Controller, Control
System.

failsafe drive states into slight and serious faults which

1. INTRODUCTION are judged based on the failure diagnosis. That is, when
Studies of ECO vehicles have been undertaken to serious faults appear in important units such as
identify ways to mitigate global energy and inverters and motors for generating driving torque,
environmental problems. Various types of vehicles not failsafe control is carried out which makes the EVs run
only electric vehicles (EVs) but also hybrid cars and with only the healthy drive system. On the other hand,
fuel cell cars have been developed as a result. All of when a slight failure such as a speed or current sensor
these are characterized by having motor drive systems failure occurs, a fault tolerant control is performed
which are mainly composed of inverters, motors and according to the failure states which makes the EVs run
torque and current controllers. In order to secure the while compensating for the function of the failed
safety as vehicles, a protection technique to prevent sensors [11]. The effectiveness of the failsafe control
drive systems from failing is required [1] [2]. However, methods including the fault tolerant function is verified
it is hard to avoid sudden stops occurring when drive through simulations and experiments using bench test
systems fail using only protected operations; EVs apparatus and a prototype EV.
should have a failsafe structure [3]-[7] which can cope
with various failures occurring during normal runs.
2. FAILSAFE CONTROL METHODS
Thus, failsafe control methods suitable for the EVs with
the failsafe structure, which has been already developed 2.1 The Principal of Failsafe Control Methods
by Mutoh, et al. [3] [7], are studied here. From the In order to make the EV drive systems into a failsafe
standpoint of safety, even if failure arises, since the structure, the front and real wheel drive systems need to
methods must be able to avoid any sudden vehicle stops, operate completely independently of each other. To
the failsafe control having the function to continue meet this failsafe requirement, as shown in Fig.1 (a),
running while maintaining the drive performance is two sets of motors are separately arranged on the front
needed. In order to enable it to shift to this control and rear wheel sides [12]. With this structure, each
reliably, the fault diagnoses should always be done over motor can control driving torque and braking torque
the whole drive system including components such as independently. Then an SM and an IM can be mounted
motors and inverters [8] and speed and current sensors on the front and rear wheel sides (Fig. 1(b)),
[8]-[10]. Furthermore, in order to avoid unexpected respectively, which brings about drive performance
sudden stops due to failure, fault tolerant control is which cannot be obtained in conventional EVs [3]-[7].
needed that can keep on running by dividing the failsafe For example, the EV can secure good steering ability at
low speeds and stability at high speeds [8]. The most
*Graduate School, Tokyo Metropolitan University, 6-6, Asahigaoka, effective point is that it is possible to perform the
Hino-shi, Tokyo, 191-0065, Japan, e-mail: [email protected] failsafe control which complements the failed drive
**Graduate School, Tokyo Metropolitan University, 6-6, Asahigaoka,
Hino-shi, Tokyo, 191-0065, Japan, system by the healthy system based on the control
e-mail:[email protected]

© 2007 WEVA Journal, pp.271 -278

271
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

Front Front system shown in Fig.3 in which control procedures

Speed Sensor Speed Sensor Differential
shown in Fig.2 were incorporated. The failsafe control
Differential
M Gear
S xb xa
SM
w
Gear
S xb xa
methods are characterized by always checking whether
Z Front Current v w Z SM Current v Iw
Sensor u Sensor u Iu Iv
the failed states allow EVs to keep on driving further. In
Front INV
Iv Iw
Front INV this case, the fault states are judged by detecting
Iu
Front DSP Front DSP inverter input currents (battery output currents) for the
Battery Mode Dis. Battery Mode Dis. front and rear wheel sides, the battery voltage, and the
288V Torque
288V Torque three phase current and speed sensors of motors for the
Splitter
Rear DSP Splitter Rear DSP
front and rear wheel drives. When either an inverter or
Rear INV
Iu Iv Iw Vehicle Rear INV Vehicle a motor have failed, the EV keeps on driving with the
Controller u Iu Iv Controller
Z Rear Current
u
v
Z IM Current
v Iw healthy drive system by separating the failed drive
Sensor w Sensor IM w
M
Differential Differential
system. When sensors have failed, it is judged whether
Speed Sensor
Speed Sensor Gear Gear
the fault states can be compensated. If impossible, the
Rear Rear same measures as for the inverter fault are taken. If
possible, the EV continues operating by performing the
(a) (b)
fault tolerant control while compensating for the
Fig. 1. Structure of EV drive systems. (a) EV with a function of the failed sensor using the following
failsafe structure. (b) Prototype EV that realized the techniques.
EV with the failsafe structure shown in Fig. (a).
D
Front Drive System Current,
Fault Signal ZIM
Diagnosis in Normal Drive Speed Sensor
ZSM
Rear Drive Fault Detecter
Normal Runs System Iu,v,w
and
Fault Diagnoses Fault Signal Iu,v,w
Compensater
Iu,v,w ZSM
WFront
Current Sensor Speed Sensor W$ W* Max Torque
Faults Torque + WFront* Current Iq*
Faults Reference PWM Front
EC
Reference Current Gate
SM
Calculator - Controller Block INV Iu,v,w
Compensation Variable Calculator Variable Id*=0
Select Drive Methods to Accelerator W% Limiter
Drive When Limiter
Compensate for Failed Sensors Braking Torque 'W + - Torque
It***
Partially Failed Distributor + Current Iu,v,w
- WRear㪁 Reference ZIM
Compensation Calculator Acceleration
Drive on/off Braking ZSM Sensor
Torque Filter
Reference Rear It max
Inverter or Brake Calculator It + PWM Rear
Torque It** Current Gate EC
+ INV IM
Failesafe Motor Faults D -
Current
Variable
+ Controller Block
Iu,v,w
Reference Variable
Drive When Limiter Im*
Separate ZIM Regulator It**max
Limiter
Completely Failed Drive System
Failed
Keep on Driving with only
the Healthy Drive System Fig. 3. Control system to perform failsafe control methods
shown in Fig.2.
Fig.2. Procedures to execute failsafe control
methods suitable for the EV shown in Fig.1.
2.2 Failsafe Control Methods When Current Sensors
Normal Drive Fail
Three Phase Faults Three Phase Interruption
Here, from the viewpoint of protecting drivers and
Detector with Software Detect Iu, Iv, Iw Detector with Hardware passengers from an electric shock, three current sensors
are used so that the ground fault phenomenon occurring
Compare between
Iu+Iv+Iw < 'H" Each Iu, Iv, Iw and Zero on the motor side can be detected. As the current
sensors are generally composed of Hall effect devices,
Estimate Iu', Iv', Iw'
Iu' = - (Iv+Iw) they have two kinds of current fault states, i.e. a state
Iv' = - (Iw+Iu) Generate Generate
Iw' = - (Iu+Iv) Pulse U,V,W Pulse U,V,W caused by the degradation of a Hall device in which the
Estimate Iq, Id
detected level drops below a normal value and a
(Iu', Iv, Iw) (Iq1, Id1)
(Iu', Iv, Iw) (Iq2, Id2)
completely failed (phase interruption) state. If the
Detect Detect Detect
(Iu', Iv, Iw) (Iq3, Id3) Three Phase Two Phase One Phase former occurs, it will be difficult for EVs to control and
Fault Fault Fault
Compare withH' generate the driving torque precisely according to the
Iq *  Iq( n) Iq *  H '
(n =1,2,3)
Failsafe Drives trod amount of the accelerator. In the latter, it will be
According to Fault Situation
completely impossible to control the driving torque.
Faults
More than
Perform Failsafe Drives
While Compensating for the
Then, both kinds of fault states should be detected.
Two Phases Function the Failed Sensor Moreover, it is very dangerous for EVs to stop suddenly
due to failure because this may lead to traffic accidents.
Keep on Driving by Switching to Display
the Normal Drive System Fault Situations Thus, as long as two or more sensors do not fail
simultaneously, EVs should keep on running by
Fig. 4. Failsafe control procedures when current compensating for the function of the failed sensor using
sensors failed. other normal sensors. This is the basic requirement

© 2007 WEVA Journal, pp.271 -278

272
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

for realizing EVs with the ability to keep on driving even V-signals at timing when W and W-signals are changed,
when a current sensor has failed as long as it does not respectively. Fig.7 shows structure of circuits to detect
result in the complete failure. Fig.4 shows the failsafe the two-phase fault. The effectiveness of the proposed
control procedures when current sensors failed. two-phase fault method is confirmed from simulations of
Fig.6 which detect the V-and W-phase fault occurring at
2.2.1 Methods to Detect the Current Sensor Fault time t2 by judging the logical level of the W-phase
Using Hardware Techniques signal at the time when the inverted signal V of the
There are three situations in current sensor faults, i.e. signal V rose.
one-phase fault, two-phase fault and three-phase fault. Finally, the three-phase fault, i.e. the fault which
The fault when the sensor of one phase fails is detected occurs when all of the current sensors fail is easily
as follows. First, the three phase-currents Iu, Iv, Iw detected by the circuits which are composed of R-F
detected through current sensors are converted to pulse
One Phase Fault Two Phase Fault
signals: U, V, W through comparators and their

Output Current [A]

t=t1 t=t2
logically inverted signals U, V, W which are changing 3 Iu Iw
0
according to the polarity of the detected currents. As Iv
-3
shown in Fig.5, using D-type flip-flops, these faults can

of D-FF 1
Detect the U-Phase
be detected by monitoring the signal change of each U, 1 Fault
0
V, or W phase at the rising timing of one of two
combined signals: (U, W), (V, U) and (W, V), 1

U
0
respectively. Here, the reason for using two signals is to 1

V
be able to detect the phase of the failed current sensor 0
using a quickly detectable signal. This was verified W 1
0
through simulations shown in Fig.6. For example, when
of D-FF 4
Detect the W- Phase
Output

1
the current sensor of the U-phase fails, the U-phase 0
Fault

fault is detected at the time t1 when the signal V which

is one of the above two combined signals (W, V) rises. 1
W

0
Since only the sensor of one (U-) phase fails, the 1
V

function of the failed current sensor is compensated for 0

0.0 0.5 1.0 1.5 2.0 2.5 3.0
using two currents measured from the other two (V- and Time[s]
W-phase) normal sensors [11]. Then, in this fault state,
according to the procedures shown in Fig.4, EVs can Fig. 6. Simulations for verifying operations of the
keep on going without any sudden stops. one- and two-phase fault detection circuits shown in
Figs. 5 and 7.
Iu D Q
U-
Iv CK Q Iu D Q
Phase
D-Flip Flop 1 Fault CK Q
Iv Judgement of U- and V-
D Q D-Flip Flop 1
U- and V- Phase Fault
V- D Q Phase Fault
Iw CK Q
Phase
D-Flip Flop 2 Fault Iw CK Q
D-Flip Flop 2
D Q
W- D Q
CK Q Phase CK Q
Fault Judgement of V- and W-
D-Flip Flop 3
D-Flip Flop 3 V- and W- Phase Fault
D Q D Q Phase Fault

CK Q CK Q
D-Flip Flop 4
D-Flip Flop 4
D Q
D Q
CK Q
CK Q Judgement of W- and U-
D-Flip Flop 5 W- and U- Phase Fault
D-Flip Flop 5 D Q Phase Fault
D Q CK Q
CK Q D-Flip Flop 6
D-Flip Flop 6
Fig.7. Structure of circuits to detect the two-phase
Fig. 5. Structure of circuits to detect the one-phase
fault.
fault.

Iu R Q
Next, the two-phase fault when sensors of two
S Q Judgement
phase currents fail is considered that occurs in the
of Three
U-and V-phases, V- and W-phases, and W-and U-phases. Iv R Q ALL
These three kinds of two-phase faults are detected by S Q ( Three )
Phase
judging from the logical level of the two-phase signals, Phase Fault
(U, V), (V, W) and (W, U) at the rising timing when one Iw R Q Faults
of three combinations of two-signals (W, W), (U, U) S Q

and (V, V) is changed. For example, the U-and V-phase

fault is judged by detecting the logical level of U- and Fig.8. Structure of circuits to detect the three-phase
fault.

© 2007 WEVA Journal, pp.271 -278

273
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

flip-flops (R-F-FFs). The three-phase fault is detected ª 1 1 º ª Iu ( n ) º

ª I d ( n )º 2 ª cos T ( n ) sin T ( n ) º «1 2 2 »« »
by judging states of the signals output from the terminal « » « »« « Iv( n ) » (5)
«¬ I q ( n )»¼ 3 ¬ sinT ( n ) cos T ( n )¼ 0 3  3 »» « Iw( n )»
Q of all the R-S-FFs shown in Fig.8. In this case, it is ¬« 2 2 ¼¬ ¼
judged as the three-phase fault when the level of all
output signals is the ‘H’ level I q * ( n )  I qj * ( n )
 H ' ( j 1,2,3) (6)
Iq * ( n )
2.2.2 A Method to Detect the Current Sensor Fault
Here, an error Hcis a value determined from the control
Using Software
Using hardware has a disadvantage that it is possible limit of the torque controller when the current sensors
to detect current sensor faults only at the changing deteriorated. In this paper, 30% is set as this value.
timing although the faults can be detected quickly and While the drive systems do not lie in steady states, the
reliably. Thus, a method to detect the current sensor fault situations are judged with the hardware described
fault using software is also needed that has the ability to above. For example, when only the U-phase sensor has
always presume failed states including the degradation failed, the U-phase fault is judged from the calculated
of sensors. As indicated in Fig.4, it is first judged torque currents Iq2(n) and Iq3(n). As they include the
whether the sum of three phase currents, Iu, Iv, Iw current measured by the failed U-phase current sensor,
detected from current sensors satisfies (1). the error of (6) will become larger than the permitted

Iu  I v  I w 'H
value Hc. Then, the failsafe drive is performed using the
(1)
correctly detected current Iq1(n). When all the
calculated currents Iq1(n), Iq2(n) and Iq3(n) do not satisfy
Here, 'H is permissible error when EVs are normally
(6), failure of two or more current sensors is judged and
driven, a value which is almost zero. When not then the drive systems are switched to only the normal
satisfying (1), i.e., when three-phase balance is no drive system.
longer maintained between the three phase-currents
measured, the current sensor may deteriorate or fail. In
this case, however, the fault states when two or more 3. FAILSAFE CONTROL METHODS WHEN
current sensors have failed cannot be judged. Then, SPEED SENSORS FAIL
self-checking is done using self-currents Iu’, Iv’, Iw’, Faults of speed sensors are another sensor fault
which are calculated from (2)-(4) using the actually which strongly affects EV driver systems. From an
measured currents (Iv, Iw), (Iw, Iu), (Iu ,Iw) which are a economic viewpoint, an optical rotary encoder is used
combination of two phase currents except the as a speed sensor. This speed sensor may fail during
self-current, respectively. running due to degradation of the components which
constitute the sensor or due to oscillations which are
I u ' ( I v  I w ) ( 2) repeatedly applied to it. Thus, in order to prevent traffic
accidents caused by unexpected sudden stops occurring
I v ' ( I w  I u ) (3) due to failure, failsafe drives (fault tolerant control)
based on the failure situations of the speed sensors are
I w ' ( I u  I v ) ( 4) needed. The A- and B- phase signals which have a
A -and B-Phase A- or B-Phase Signal Z-Phase
It is difficult to directly compare the calculated currents Signal Fault Detector
Drive
Fault Detecter Fault Detector
(Iu’, Iv’, Iw’) and the measured currents (Iu, Iv, Iw) since
Detect
they are alternating currents. Thus, the amount of the Detect A-, B- and
alternating currents is changed into the amount of the Car Acceleration
D
Z- Phase Signals

direct currents using (5). This conversion always needs Estimate Estimate Generate Read
three phase-currents since they are not in the balanced Car Speed V Wheel Speeds
Zf
and Z r
Pulses A and B Value T
of Counter
states. Generally, when there is no failure in current Yes
Is Vehicle No Watch
A-and B-Phase T
sensors, the magnetizing and torque components, Id(n) Speed Zero
Signals Mutually Exceeds
Permissive
and Iq(n), which are converted using the measured Value 2 S
Is Yes
currents (Iu, Iv, Iw) are in agreement with their Estimate Slip Ratios
S f and S r A-Phase Signal No
references Id *(n) and Iq*(n) with operations of the Fault ? Yes
No
current regulators as long as Iq*(n) does not change. Judge
Wheel Lock? No Is
B-Phase Signal
Thus, three combinations (Id1(n), Iq1(n)), (Id2(n), Iq2(n)) Yes No
Fault ? Z-Phase Normal
Yes
and (Id3(n), Iq3(n)) are calculated using (5) that A and B -Phase A and B -Phase
Signal Z-Phase
A or B-Phase Signal Fault
correspond to the three current combinations: (Iu’(n),
Signal
Fault are Normal Fault
Iv(n), Iw(n)), (Iu (n), Iv’(n), Iw(n)) and (Iu (n), Iv(n),
Iw’(n)), respectively. Next, when the drive systems are Failsafe Drives

in steady states, the torque current reference Iq*(n) at

Fig.9. Procedures for performing the failsafe control when
time n is compared with Iq1(n), Iq2(n) and Iq3(n)
the speed sensor failed.
obtained through these calculations based on (6).

© 2007 WEVA Journal, pp.271 -278

274
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

mutual phase difference of 90 degrees, and the Z-phase A A D Q Watch A-Phase Signal
B at Rising Timing of B-Phase Signal
signal indicating the criterion position of the magnetic B CK Q
D-FF1
pole in the SM are generated from the speed sensor. A D Q Watch A-Phase Signal Judge
A-Phase
at Falling Timing of B-Phase Signal Signal
Then, according to Fig.9, failsafe drive is performed CK Q
A-Phase
Signal Fault
Fault
B D-FF2
while judging the fault states. When the A- or B-phase
B D Q Watch B-Phase Signal
signal fails, measures to keep on running without any CK Q
at Falling Timing of A-Phase Signal
sudden stops are performed while compensating for the A D-FF3 B-Phase
Judge
Watch B-Phase Signal
failed signal with a normal signal. When both A-and B D Q
at Rising Timing of A-Phase Signal
A-Phase Signal
A CK Q Signal Fault Fault
B-phase signals and Z-phase signal fail, the failed D-FF4
driver system is separated and then the EV continues
running with only the healthy drive system. Hereafter, Fig.10. Circuits to detect A- or B- phase signal fault.
methods to detect various kinds of failed states are
described. A-Phase Signal B-Phase Signal
Fault Occurs t=t1 Fault Occurs t=t3
A-phase A-phase
3.1 Failsafe Control Methods When Speed Sensors B-phase B-phase
Output Signals1
Fail D-FF1
0
1
0
The speed sensor, i.e., the optical rotary encoder D-FF2 1 1
0 0
generates two phase A-and B- signals which have the D-FF3 1 1
0
0
phase difference of 90 degrees mutually. Then, a fault D-FF4 1 1
0
0 t=t2 t=t4
of each signal is detected by monitoring the level status, Detect Fault Detect Fault
i.e., H(1)-level or L(0)-level at both rising and falling (i) When A-phase signal failed (ii) When B-phase signal failed
timings when the level of each signal changes. This is
because the fault should be detected for two rotation Fig.11. Timing charts for explaining A- or B-phase
states, i.e., the clockwise and counterclockwise signal fault detected by circuits shown in Fig.10.
rotations corresponding to two states in which vehicles
move forward and back. Fig.10 shows circuits which
realize this idea. They are composed of four D-type 3. 2 A Method to Detect A- and B-Phase Faults
flip-flops (D-FFs 1-4) and judgments are made based on The fault detection method just cited above assumes
the signals output from the D-FFs as to whether either that the watching signal must be normal in order for the
the A- or B- phase signal failed. In the circuits of Fig.10, fault of the watched signal to be detected certainly.
D-FFs 1 and 2 monitor the A-phase signal fault at the Thus, states in which two A-and B-phase signals failed
rising and falling timings of the B-phase signals, simultaneously cannot be detected. In these situations,
whereas, D-FFs 3 and 4 monitor the B-phase signal
as the speed Zf or Zr of the front or rear wheel failed to
fault at the rising and falling timings of the A-phase
signals. Examples of these circuit operations to detect a be detected, it is given as zero. Using this fact, states
fault can be explained using the timing charts shown in when two phase-signals failed simultaneously can be
Fig.11. When the A-phase signal fails at time t=t1, detected. However, since these also include the state
D-FF1 detects this fault at time t=t2 when the B-phase that the speed becomes zero at the time of wheel locks,
signal falls. On the other hand, when the B-phase signal this state should be separated using the following
fails at time t=t3, the fault is detected by the D-FF 4 at technique. Since the wheel locks occur when braking
time t=t4 when the A-phase signal rises. Here, final operations are performed due to load movement, the
judgment of the fault is done when the output of the state is detected by estimating the slip ratios Sbf, Sbr for
D-FF which detected the fault accords with output of the front and rear wheels which are given by (8) and (9).
another D-FF. In Fig.10, the outputs of the D-FF 1 and
That is, if at least one of the wheel speeds, RxZf or
the D-FF 4 agree with those of D-FF 2 and D-FF 3,
respectively. Here, when the A-and B-phase signals
R xZr becomes zero when the slip ratio increases to
fails, they will become H- or L-level, as shown in
Fig.11. Since the result of the fault judgment strongly nearly one at the time of braking, it is judged that the
affects operations of vehicles, this judgment should be speed is zero due to occurrence of wheel locks. Here,
doubly checked using another technique. Here, (7) is wheel locks can be controlled using the method [5] to
used as another judgment condition based on the fact properly distribute the braking torque to the front and
that the speed difference during the measurement period rear wheels according to the estimated load movement;
this is possible only for the EV with the structural
becomes less than half the speed Z(n) obtained
feature shown in Fig. 1. If the detected wheel speed
correctly at the former time n if either the A- or B-phase becomes zero when the slip ratio lies in the normal
signal fails at time (n+1). range between 0.1 and 0.3 [5], it is judged as the fault.
Here, when the fault of the phase signal and wheel
Z ( n) locks simultaneously occur, the fault is judged from the
Z (n  1)  Z (n) d (7 )
2 controllability of the slip ratio control [5]:

© 2007 WEVA Journal, pp.271 -278

275
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

( V  RZ f )
Sf
V (8) 4. VERIFICATION OF THE PROPOSED
(V  RZr )
METHODS USING THE PROTOTYPE EV
Sr (9)
V First, experiments are used to study whether the
where V is the car body speed estimated from an methods proposed in Sec.2.1.2 allow a failed current
acceleration sensor and R is tire radius. In this case, sensor to be compensated for using other normal
integrating errors occurring when acquiring V are sensors. Degradation of current sensors is a common
corrected by using the wheel speed obtained in failure. It is judged here to be a current fault by
synchronization with the A and B- phase signals detecting a 30% reduction of the detected current signal
generated from the rotary encoder as an offset value. level. Fig. 13 shows the proposed failsafe drive when
the U-phase current sensor of the front wheel drive
3. 3 A Method to Detect Z-Phase Signal Fault system fails first at time t=t1, and next, the W-phase
The Z-phase signal is generated from the optical current sensor of the same drive system fails at time
rotary encoder every one revolution. The optical rotary t=t2. In the first fault, the experimental result shows that
encoder is generally set on the motor shaft (rotor) of the the failed U-phase current sensor is completely
SM so that the timing when the Z-phase signal is compensated for using the other two current sensors.
generated agrees with the position of the magnetic pole Then, even if the U-phase sensor failed, the front drive
in the rotor of the SM. Thus, the position of the system including the failed current sensor is properly
magnetic pole can be recognized by detecting the operated until the time t1, judging from the produced
Z-phase signal. The rotating angle of the rotor while the front torque. However, after detecting the fault of the
SM makes one revolution is gotten by using a counter other W-phase sensor at time t2, the failed front drive
to count the number of A- and B-phase signals system is separated from the EV drive systems because
generated from the optical rotary encoder while the the failed current sensors cannot be compensated for
Z-phase signal is generated. That is, the period that the using only the normal V-phase current. This is
Z-phase signal is generated corresponds to the value confirmed from the fact that not only the torque
currents Iq1 and Iq2 of the failed phase currents but also
when the counter reaches 2S. Thus, the fault of the the torque current Iq3 of the normal phase current
become zero. After separating the failed system, Fig. 13
Z-phase signal is judged by whether the value T(n) shows that the prototype EV can continue running using
counted by the counter satisfies (10). only the normal rear drive system.
U-Phase Fault W-Pase Fault
t=t1 t=t2
T (n)  2S d 0 (10) Car Speed
Iq2[A] Iq1[A] [Nm] [km/h]
Torque Speed

10
5
3.4 A Method to Compensate for the Failed Phase 0
Rear Torque Front Torque
Signal 30
15
When either the A- or B-phase signal fails, the 0
Detect
compensated phase signal is reproduced based on the 50 W-Phase Fault
25
normal phase signal. Fig.12 shows a compensation 0
50 30%Reduction
method to reproduce a phase signal with the phase
25 in W-Phase
difference of the half period of the normal phase signal. 0 Detect Current
In this case, this period T is determined so that the 50 U-Phase Fault
Iq3[A]

25
phase difference between the normal and reproduced 0
phase signals exists even when arriving at the maximum 0 5 10 15
TIME[s]
speed and it is judged from the position (forward or
reverse) of the shift lever whether the phase between Fig.13. Verification of the proposed failsafe control
the normal and reproduced phase signal is delayed. On methods when the current sensors of the front drive
the other hand, when all A-and B-phase signals and system fail in an experiment using the prototype EV.
Z-phase signal have failed, EVs keep on driving by
separating the fault from the drive systems and using Next, the failsafe effects when the speed sensors fail
only the normal drive system. are verified. Fig.14 shows failsafe drive when the speed
sensor which generates the A-phase signal fails at time
t=t1. Even if the fault of A-phase occurred at time t=t2,
Normal
T the failed A-phase signal is quickly compensated by the
Phase Signal normal B-phase at time t=t2 and then the signal
T/2 equivalent to the failed A-phase one is regenerated. As
Reproduced
a result, both the front and rear wheel drive systems are
Phase Signal normally operated using the reproduced signal and then
the EV keeps on driving without any stops. However,
Fig.12. A compensation method when A- or B- phase when all A-and B-phase signals and the Z-phase signal
signal failed. have failed, the failed drive system is immediately

© 2007 WEVA Journal, pp.271 -278

276
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

Only the Rear

Normal Runs t1 Wheel Drive
separated from the EV drive systems, as confirmed
Rear Wheel Front Wheel
from Figs.15 and 16. When two or more current sensors 30 Speed Speed

[km/h]
Speed
fail or when all A-and B-phase signals and the Z-phase 15

㩷
signal fail, the failed drive system is immediately 0
separated from the EV drive systems and the EV can 0 5 10
Rear Torque㩷
continue running using only the normal drive system 50

Torque
[Nm]
Front Torque
without any sudden stops. The failsafe drive 25

㩷
performance of this case is confirmed through various 0
0 5 10
experiments as shown in Figs. 17 and 18, and Figs. 19,

Acceleration
Occurrence 㩷

Lateral
3.0

㩷[m/s ]
of Failure

2
and 20 when failing on the front or rear drive system 1.5
side while going straight and cornering using the 0.00
prototype EV, respectively. Here, it is checked through 0 5 10
experiments that yaw rate and lateral acceleration when 㩷

Yaw Rate
30

[deg/s]
generated at the time of cornering are almost the same 15

㩷
as that of normal drives. This excellent safety can be 0
0 5 10 TIME [s]
obtained only by the EV proposed here which has the
failsafe structure. Fig.17. Verification of failsafe control methods when the
front wheel drive system fails while going straight.
A-Phase Signal Fault t=t1
Occurred
t=t2 Compensation Only the Rear
Normal Runs t1 t2
A-Phase

1 Wheel Drive
Front
[km/h]

60
Speed

0 40 Speed
30 Rear Weel Speed Front Wheel Speed
0 0.2 0.6 0.8 20

[Km/h]
0.4
Speed
Rear Speed
TIME[ms] 0
15
B-Phase

1 0 Front 25 50 75

㩷
Detection Torque
[Nm]

0 10 Torque 0
0 0.2 0.4 0.6 0.8
0 5 10 15
0 Rear Torque
TIME[ms] 0 25 50 75 50 Rear Torque 㩷
Torque
Detection

Signal

1
[Nm]

1
Signal

0 25 Front Torque
㩷

0
0 25 50 75
0 0.2 0.4 0.6 TIME[s]
TIME[s] 0
0 5 10 15
Occurrence
Acceleration

Fig.14. Verification of failsafe control methods when 㩷

3.0
Lateral

of Failure
[m/s2]

the A-phase signal failed. 1.5

㩷

0.0
t= t1
Front Wheel Speed Car Speed 0 5 10 15
Obtained from
Front Speed Sensor 㩷
30 Initiatoin of
Yaw Rate

15
[deg/s]
[km/h]

Cornerring
Speed

10 15
㩷

5
0 0
0 5 10 15
TIME[s]
50 Rear Torque
Torque

Fig.18. Verification of failsafe control methods when

[Nm]

25 Front Torque
the front wheel drive system fails while cornering.
0
The fault of the A-
Slip Ratio

1.0 and B- Phase Only the Rear

0.5 Signales Occur Normal Runs t1 Wheel Drive
0.00
-0.5
0 2 4 6 8 10 12 TIME[s]
14 Rear Wheel Speed Front Wheel Speed
30
[km/h]
Speed

Fig.15. Verification of failsafe control methods when the 15

㩷

A- and B-phase signals of the front speed sensor failed. 0

t=t1
0 5 10
40 Rear Torque 㩷 Front Torque
50
Torque
[km/h]
Speed

[Nm]

20
0 25
㩷

0 2 4 6 8 0
Front Torque 0 5 10
Detection Rotor Angle Torque
[Nm]

10
Occurrnce 㩷
Acceleration

5 3 of Failure
Lateral

0 2
[m/s2]

0 2 4 6 8 1
㩷

10
0
[rad]

-1
0 5 10
0 㩷
0 2 4 6 8 30
Yaw Rate
[deg/s]

20
Signal

1.0 Detect Z-Phase 10

㩷

0.5 signal Fault 0

0.0
0 0 5 10 TIME[s]
0 2 4 6 TIME[s]
8

Fig.19. Verification of failsafe control methods when

Fig.16. Verification of failsafe control methods when
the rear wheel drive system failed while going straight.
the Z-phase signal of the front speed sensor failed㧚

© 2007 WEVA Journal, pp.271 -278

277
 ISSN 2032-6653
The World Electric Vehicle Association Journal, Vol. 1, 2007

Only the Rear Independently”, EVS21 (The 21st Worldwide Battery

Normal Runs t1 t2 Wheel Drive Hybrid and Fuel Cell Electric Symposium), April 2-6,
Rear Wheel Speed Front Wheel Speed 2005, Monaco.
30 [7] N. Mutoh, T. Kazama, and K, Takita “Driving
[Km/h]
Speed

15 Characteristics of an Electric Vehicle System With

Independently Driven Front and Rear Wheels,” IEEE
㩷

0 Trans. Ind. Electron., Vol. 53, No. 3, pp. 803-813, 2006.

0 5 10 TIME[s]
Rear Torque
[8] A. EI-Anttaby, L. Xiaogang, R. Martin, “ System
㩷
50 Front Torque Simulation of Fault Conditions in the Components of
Torque
[Nm]

25 Electric Drive System of an Electric Vehicle or an

㩷

0
Induction Drive”, IEEE IECON’93, Nov. 15-19, 1993,
0 5 10 TIME[s]
Maui, HI, Vol. 2, pp.1146-1150.
[9] F. Zidani, M.E.H. Benbouzid, D. Diallo, A. Benchaib,
Acceleration

㩷
3.0 Occurrence “Active Fault-Tolerant Control of Induction Motor
Lateral

[m/s2
]

1.5 of Failure Drives in EV and HEV against Sensor Failure Using A

㩷

0.00 Fuzzy Decision System” International Electric Machines

0 5 10 TIME[s] and Drive Conference 2003 (IEMDC’03), June 1-4,
Start to 㩷 2003, Madison, WI, Vol. 2, pp.677-683.
Yaw Rate

20 Corner [10] Y-S. Jeong, S-K. Sul. S.E. Schultz, N.R. Patel, “Fault
[deg/s]

Detection and Fault-Tolerant Control of Interior

㩷

0 Permanent-Magnet Motor Drive System”, IEEE Trans.

0 5 10 TIME[s] on IA, Vol. 41. No. 1, 2005, pp.46-51.
㩷 [11] N. Mutoh, M. Ryoso, T. Omae, S. Obara, S. Naito,
“Failure Detection Method for Electric Vehicle and
Fig.20. Verification of failsafe control methods when Fail-Safe Control Method Using This Method”, US
the rear wheel drive system fails while cornering. Patent No. 5,357,181.

5. CONCLUSION
ACKNOWLEDGEMENT
This paper described the failsafe control methods
suitable for the EV with the structure driven by the The authors thank Mr. Yoshiaki Miyamoto for his
front and rear wheels independently. The proposed cooperation in the simulations and experiments.
failsafe control methods: (1) compensated for the
function lost due to failure using the healthy parts; (2) BIOGRAPHIES
avoided loss of driving performance when partial
failure occurs; and (3) avoided unexpected sudden stops
Nobuyoshi Mutoh received the Ph.D. degree in
when complete failure occurs. When completely failed,
engineering from Waseda University, Tokyo,
the failed drive system was separated from the EV drive
Japan in 1991. He completed the first half of the
systems, the EV continues running with only the
Ph.D. degree from the Science and Engineering
healthy front or rear wheel drive system by making full
Research Division, Graduate School, Waseda
use of the failsafe structure. Effectiveness of the
University, in March 1975. He is currently a
proposed methods was verified through various
professor with Department of Systems Design,
experiments using the prototype EV.
Graduate School, Tokyo Metropolitan University,
Tokyo, Japan. His major fields are advanced ECO machine control
REFERENCES systems such as EVs, PV, wind power and fuel cells, and EMC/EMI
control regarding power electronics. He is an IEEE Senior Member
[1] G.G. Karady, A, R. Hobbs, D. Karner, “Electric Vehicle
Fault Protection”, Proceedings of International and Professor Engineer (Electric and Electronics) in Japan. He is an
Conference: High Technology in Power Industry, Associate Editor of the IEEE Transaction on Industrial Electronics.
IASTED, June 4-8, 1966, Banff, Alberta, Canada,
pp.235-238.
[2] A. Manzone, A. Pincetti, D. De Costantini, “Fault Yoshiki Tomita is currently working towards the
Tolerant Automotive Systems: An Overview”,
Proceedings of One-Line Testing Workshop, July 9-11, M.S degree in the Development of Intelligent
2001, Taormina, Italy, pp.117-121. Systems, Tokyo Metropolitan University, Tokyo,
[3] N. Mutoh, A. Higashikubo, “Electric Vehicle System Japan. His area of research is advanced EV
Independently Driving Front and Rear Wheels,”, 28th control systems.
Annual Conference of IEEE Industrial Electronics
Society (IECO n,
[4] N. Mutoh, Y. Miyamoto, T. Horigome, K. Takita,
“Driving Characteristics of an Electric Vehicle System
with Independently Driven Front and Rear Wheels,”,
IEEE IECON 03, CD-ROM, Nov. 2-6, 2003, Roanoke,
VA.
[5] N. Mutoh, H. Yahagi “Methods to Control Wheel Locks
and Wheel Spins for Electric Vehicles with the Structure
Having Independently Driven Front and Rear Wheels,”
IEEE IAS 2006, CD-ROM, Oct. 8-12, 2006, Tampa,
Florida.
[6] N. Mutoh, T. S. Lee, Y. Hayano, S. Muroi, “Electric
Vehicle with Front and Rear Wheels Driven

© 2007 WEVA Journal, pp.271 -278

278