Computerized engine controller

[rbodell]

since the software is only as reliable as the operating system, I hope you are using something besides microsoft LOL.

[mobile_bob]

having slept on this subject and giving a bit more thought to it today i thought i would post a couple of observations

when you look at automated commercial generators (the big boys) you find they generally do not control all facets of operation
from one controller, usually there is an autostart module, an electronic govenor, frequency sync if there are more than one installed
etc. Each having their own dedicated sensors and controlling specific actuators, relays, contactors etc.

one wonders why they do it that way? certainly they have the wherewithall to integrate into one controller?

likely it is done this way as a redundant failsafe method, should one part of the system fail other parts can control the engine and shut
it down if necessary.

so then the question becomes, why not follow the leaders in this reqard?
why not split the functions onto seperate controllers, beit microcontrollers( pic, stamps, plc, etc) that way there is redundancy of safety
built in. the down side is a few more parts,, but they are dirt cheap to start with in the case of pic's and stamps.

another thought would be to use some form of master controller, whose function is to simply enable a start command and send it to a
slave controller whose function is to do the start up sequence and report back when the engine is running
the master could then enable another slave controller whose function is switching in a generator and then apply loads etc.

the master would have ample time to do nothing but monitor for out of parameter conditions like overspeed, over temp, low oil etc.
and initiate an emergency shutdown of its own accord.

each slave could also have its own set of parameters that would trip the emergency shutdown sequence.

with a master, and the two aforementioned slaves all having access to the emergency shutdown of the engine, the
likelyhood of all controllers loosing control and failing to shutdown the engine would be dramatically reduced.

sort of follows pc archetecture in a way, it ressembles the ibm ps2 microchannel system with its buss master controllers
where the main processor released control to a buss master video card or a buss master scsi drive controller.

in my opinion the resultant coding is steamlined which in the end makes for less debugging and changes to one controller have
no effect on the function of another

going back about 25 year or so, i worked for an oil field fracturing company with detroits from hell
these were powered by the lowly 12v71 all the way to 12v149's and many 16v92's between
all were hotrodded to around 2700rpm, custom injectors, no exhaust etc. most were developing well over twice the
design hp that detroit had intended.

they all were plc controlled, with seperate controllers doing specific duty, engine startup, electronic governor , etc.
they used linear actuators as well and also were fitted with the blower air shutdown systems (which were deleted on the turbo
engines on oem engines)
faults from loss of govenor control would would trigger shutdown, faults from other plc controller would trigger shutdown
and on top of that were the mechanical murphy switch guages as another layer of emergency shutdown.

so where am i going with all this?

first of all i would recommend placing all the shutdown elements such as fuel rack, decompressor, fuel shutoff and most especially an air intake
shutoff on a single buss

second i would allow access (to this buss) from at least one master controller "AND" a slave controller (electronic govenor) "AND" a slave controller (engine startup)
and also from any other mechanical overrides, switches, murphy guages etc.

all shutdown elements would default to shutdown if there is a loss of power to any controller "and" to any shutdown element,  this is very important
and is sound engineering practice.

just my thinking, yours may vary

bob g

[adhall]

I've been involved with starting up, troubleshooting, and designing hardwired relay, PLC, and embedded controller systems for over 30 years. I have seen what can go wrong when safety related functions are implemented in a control program. In one case, a AGV (automatic guided vehicle) carrying a 4000 lb load ran off it's guide path and crashed through a cinder block wall when the controller malfunctioned. In another instanced, a IBM-PC based positioning system very nearly destroyed a wing assembly on a Boeing airliner when the controller locked up and didn't respond to end of travel switches. The common thread in both cases was that all the operator controls and safety switches were treated as inputs to the controller and the controller had responsibility for dealing with them. When the controller locked up, the operator controls and the safety switches all quit working--with serious results.

Because of these experiences, I prefer to see safety related functions implemented in seperate and independent systems with the controller acting only in a supervisory role. As much as possible, I like to see these systems implemented in hardware rather than software and I like them to be designed "fail safe" wherever possible.

Best regards,
Andy Hall

[Doug]

Bob's taling about Murphy switches, seen them beofre on mobile equipemnt to shut down the engine and lock out functions when things get wierd. Pain in the ass when Mobile's wiring intersects mine and causes things not on my prints to happen but they are electro mechanical hard wired into estops and safety pulls and work very reliably.

Andrew's comments about programed "safety" also strikes a cord. I recall a crane that had three independent controls that would trolley hoist and bridge. Since none of these actualy talked to each other and all the limmits and decell points were programmed I watched in horror one day as 10 tons of molten iron in a bull ladel ran into the melt deck control room. Lesson learned the final limmits should be power limmits that kill everything and when  computer takes a nap or develops alzheimers the other processors involved in the functions should detect a fault and stop before the power limmits ever have to come into play.

Stead fasts on conveyors are another things I hate. For what ever reason people are too lazy to take a walk and look for aflag to reset when  belt trips doesn't strike me as a reason to not kill all the control power the instant a safety drops out.

Last and probvaly the most amusing one I ever say was a SLC 500 in a machine that stacked windshields and wrapped them up. What ever combination or blown open bits ( or stripped gears in its coo coo clock syncronized with all thats right and good in hell ) in its memory related to B3 files or registers lined up the thing would hurl a piece of glass rather than stack it. I lost a lot of faith in PLC from that experience because there was no hard wired solution that would stop a palitizer form dropping a load as it spun.
Teh KB penta drive's electronics would also drift with the heat and increase the film force untill it crushed glass in the hotter months too.

These were all things no one could plan for or would plan for because of faith in bits and bites.

Doug 

[mobile_bob]

personally i like a blend of technologies, stone age mechanical and space age electronic

from what i am reading here one would think that the two could be blended in such a way
so that each can do what they are truely good at, reliably
and each can do what the other is not well suited to or easily implemented.

for instance
autostart, with a glowplug preheat, engage starter for a determined time, rest period and retry, etc.

electronic governor to bias the mechanical one seems more than prudent, and should be safe

these functions would appear to be better served by electronic means

on the other hand...

emergency shutdown caused  high temp/low oil pressure, out of spec rpm (runaway) etc.
might be better served from a safety standpoint by stoneage/mechanical means.

we see electromechanical controls everyday that work flawlessly, from the thermocouple pilot light on the gas drier,hot water tank and furnace
these work in millions of homes and have for years with little or no maintenance.

we see many standby gensets at hospitals and other institutions that have something less than optimal supervision, they work or folks die
don't here of many folks dieing on the operating table because of a malfunction.

boilers which have the ability to destroy whole buildings have multiple layers of controls that seem to also work quite well.

and the list goes on.

so basically i see no reason that the automated engine/generator cannot be made every bit as safe if one takes a que from these other
systems. but...

as stated by others, shortcuts, poor engineering or implimentation will likely lead to failure and possibly injury.

so the DIY'er should take heed and learn from others failures, even well engineered systems are sometimes shortcutted and
the results can be catastrophic.

i would suspect the automated vehicle, molten iron crucible, glass transfer and others sited, upon close investigation were
routed in some faulty implimentation, bugs in the code, or some other cost cutting measure.

i don't know,, but it would seem we are not talking rocket science here,, or are we?

bob g

[rbodell]

just a thought here, We buy an engine built so simple and heavy it will most likely outlive most of us even if we didn't shut it off. There is almost nothing to break on it. It's hand crank so there is no need for a battery or starter. It uses a barrel fo water for cooling so there is no need for a radiator or water pump to break down. Some of them don't even have an oil pump. Of course the downside is that we need regular attention to water and oil levels, vibration, temperature etc. 

Then we add sensors, chips, power supplies, starters, generators, water pumps etc, all designed to break down at the most inopertune moment so we can walk away and ignore them.

[rmchambers]

It's pretty funny isn't it.

For the folks that want a backup generator it's not worth the bother for the little amount that it will be used for but for those that are building an off-grid solution of which the low speed diesel is a key player then I can see why they'd want to protect that piece of the puzzle with every tool they had available.

RC

[Andre Blanchard]

Here is a simple way to let the gov. return back to some slow speed even if the stepper motor can not be moved.
There will need to be some startup procedure where the stepper is moved all the way to the slow end to pick up the end of the spring.

Also there should be more then one independent switch in series supplying power to the magnet.  Remember that a very common failure mode for a MOSFET is to short and not be able to turn off.  As a last resort you can have a crowbar circuit to blow the fuse supplying power to the magnet.

[rmchambers]

Andre,
   You need to find a better supplier for your springs mate!   

[Andre Blanchard]

That one has been recycled a few times.

[mjn]

I appreciate everybody's comments here.  This project is far from finished.  As things progress I'll be incorporating your suggestions.

I agree with Bob that the optimum design is probably a hybrid which involves the classic "murphy switches" and computer control. Even though this controller may not represent the best form of protection, it is far better than what this engine came with (nothing). 

I think one of the reasons for the general hatred of computer controls is the dreaded "black box".  The good old discrete components could be traced, analyzed and repaired, but when the computers came in, you no longer could fix the problem yourself.  There are few things that I dislike more than being dependent upon somebody else to solve my own problems.  That is why I have a generator in the first place.  I don't want to rely on the power company to keep the food in my freezer from turning into mush.

It is for this reason that I am being fully open with my system.  I don't expect anybody to ever build an identical copy of this, but if they ever want to build their own, they have all of my design available as a reference.

For those people who don't find joy in building a computer controller by hand, I suggest the murphy ASM150 which is a computer (gasp..) controller which provides basic start/stop and protection. http://www.fwmurphy.com/products/genset_controls/asm150.htm

Regards,
Martin

[mjn]

Here is how the stepper motor links up with the governor spring.  It is almost as if this stepper assembly was custom designed for this application.  The wires are a total mess at this point because in order to change the programming on the controller, I have to disconnect everything from the engine and take it back into the house.  Eventually, I will tidy this all up



It is a little dark, but you can see where the stock speed lever has been disconnected, and the spring hooked onto the stepper post.

 

Here is the view from the other side.  You can see the screw with limit switches at both ends and the governor spring in the 1800 rpm run position.

--
Martin

Here is a 26 second video showing the controller starting the engine http://video.google.com/videoplay?docid=4096640855777707869.  Here is the sequence of events:

• Off screen, I turn the switch from "manual" to "automatic".
• The stepper moves all the way back to the zero position.  At the same time the glow plug relay energizes.   
• As soon as the glow plug timer expires (about the same time as the stepper getting to zero) the glow plug relay is turned off and the engine starts cranking with the decompression relay energized.
• Simultaneously, the speed control moves towards the "start" position (set for about 1000 rpm).
• As soon as the RPM exceeds the minimum crank speed, the decompression relay is turned off.
• Once the engine rpm exceeds the "start RPM" limit, the starter is disengaged and the controller enters a brief delay for oil pressure to exceed the minimum.  If oil pressure does not rise within a fixed amount of time, the engine will shut down.
• The engine is allowed to warm up at 1000 rpm for 10 seconds.  For the final version this warmup will wait for the water temperature to reach a minimum value before continuing.  For debugging purposes I didn't want to wait that long.
• Control of the engine rpm is then passed to the "PID controller" which calls for a big bump in speed.  You can see the speed overshoot and the controller back off and then back on a bit.  I'm still working on eliminating the overshoot.

Here is a 21 second video showing the engine stop sequence.  http://video.google.com/videoplay?docid=5327822853975211849

• Off screen, I turn the switch from "automatic" back to "manual"
• The stepper moves toward zero.
• The controller waits for RPM to reach zero, and for oil pressure to drop below the minimum.
• The stepper moves back to the 1800rpm run position in preparation for manual operation

[Doug]

I posted a part number for a very cheap off the shelf current relay that could be used to energize a solinoid to increase the govener spring presure at high loads

Airotronics current sensor part number CS*10H001C020A

http://www.airotronics.com/site/category_currentsensors.php

This one has an adjustable current threshold up to 20 Amps, a 1 second delay and opperates a 10 amp rated set of contacts. I use then for an over current sensor on a machine so sence it was pulling a film of plastic wrap to hard against a product.

[mobile_bob]

Martin:

looks good, i like it!

keep up the good work

bob g

[mobile_bob]

Doug:

thanks so much for the link to the current sensor, i needed that!

bob g