There are many applications where the ODrive is used where the various
communications channels (USB, UART, etc.) are used to dynamically control the
controller settings, such as setting the desired velocity of the motor based on
some sort of external control.
This presents an issue in situations where the communication channel between the
ODrive and the external controller becomes interrupted either due to a crash on
the external controller or a disconnection of the communication wiring.
Currently, in such a case, the ODrive continues on its last configured
instruction. Depending on what’s connected to it, this can cause a host of
issues such as a vehicle running at full speed into a wall or person.
One way to help with this issue is to implement some sort of communication
watchdog for the ODrive motor control classes. This watchdog system would
prevent the Controller class from driving the motor MOSFETs if a property has
not been changed for longer than a specified interval. Setting a property on the
Controller class would act as a reset to the watchdog and allow the Controller
class to again control the motors.
The way I see this working is as follows:
A new property
watchdog_timeoutis added to each axis. This property
specifies the watchdog timeout, in seconds, for this axis. If the watchdog
has not been fed for a time exceeding this timeout, then the motor is
disarmed and not driven. The value of this property would be saved in
non-volatile memory. Setting a value of 0 for
disable this watchdog.
A new property
watchdog_feedis added to each axis. Writing any value to
this property will reset the watchdog interval and allow the motor to be
External control loops will write the
watchdog_feedproperty after setting
updating any setpoints or other parameters of the axis. If the external
controller crashes or otherwise ceases communication, then the watchdog_feed
property will not be written and the axis will eventually transition into
safe mode until the watchdog is fed again.
I’d appreciate any thoughts on this subject. Would there be a better way to add
fail-safe functionality to the communication channels? Is this something that could be
considered for inclusion into the default firmware for the ODrive?