The BSPD is the electric car's fail-safe of last resort — a hard-wired analog circuit that opens the tractive system shutdown loop if the driver simultaneously commands hard braking and high motor power, the signature of a runaway throttle or panic input. No microcontroller, no firmware, no software — FSAE rules forbid programmable logic on this device. Every gate is a discrete IC, every delay is an RC time constant.
The Braking System Plausibility Device is mandated by FSAE Electric rule EV.5.7. It exists to catch a single, dangerous condition: the driver pressing the brake pedal hard while the motor is still drawing significant power. That combination is either a stuck throttle, a sensor fault, or a panicked driver — and in any of the three cases, the correct response is to open the tractive system shutdown circuit and keep it open.
Completely non-programmable. Microcontrollers, FPGAs, and software-defined logic are prohibited. The device must be built from discrete components or fixed-function ICs only — deterministic reliability, zero boot-up latency.
Because the rule forbids code, the entire signal chain is built from automotive-friendly CMOS logic and precision analog timers running on the vehicle's 12 V GLV bus. Each block in the chain does one specific job, hard-wired to its neighbors.
The system monitors 5 V signals from the pedal and current sensors (e.g. the DHAB S/118). OP07 op-amps wired as comparators check each sensor voltage against a fixed reference — around 1.0 V for the hard-brake threshold, a separate calibrated reference for the 5 kW motor-draw threshold.
The comparator outputs feed standard CD4000-series CMOS gates — specifically the CD4001 NOR and CD4071 OR — to evaluate the AND condition. Discrete logic instead of programmable means the propagation delay is in nanoseconds and the behavior is fully characterized by the datasheet.
Instead of a microcontroller-driven timer, an NE555 in inverting Schmitt-trigger configuration watches the logic output. An RC time constant sets the delay — the fault must persist for roughly 475 ms before the timer fires, comfortably inside the 500 ms rule but long enough to ignore transient noise.
When the timer fires it sets an SR latch built from discrete gates. The latch's output drives a MOSFET which opens the K1 relay — physically breaking the tractive system shutdown loop. Because the latch only resets on a manual power cycle, the fault is sticky by construction.
| Role | Part | What it does |
|---|---|---|
| Current sensor | DHAB S/118 | Provides 5 V signal proportional to motor current draw |
| Comparator | OP07 op-amp | Compares sensor inputs against fixed reference voltages |
| Logic · NOR | CD4001 | Quad NOR gate, evaluates the AND of brake and motor conditions |
| Logic · OR | CD4071 | Quad OR gate, signal combination |
| Inverter | CD4069UB | Hex inverter; required pull-down resistors in our wiring (see §04) |
| Delay timer | NE555 | Inverting Schmitt-trigger; sets the ~475 ms RC delay |
| Output stage | MOSFET → Relay K1 | Physically opens the tractive system active loop on fault |
Physical validation on the breadboards turned out to be a deep dive into analog hardware physics — far more interesting than the simulation phase. LTSpice for circuit modeling, the Analog Discovery 3 for real-time signal capture, and a lot of probing.
Erratic voltage spikes and abnormally slow signal decay on the CD4069UB inverter outputs during early testing.
Traced to floating input gates on the CD4069UB inverters — reverse-biased blocking diodes upstream were leaving the gate capacitance with no discharge path, so trapped charge was bleeding out unpredictably through the next stage. Fixed with physical pull-down resistors on every inverter input, giving the gate capacitance a defined path to ground. Standard CMOS hygiene — easy to miss until the scope tells you about it.
NE555 delays diverging wildly from theory. Breadboard tests with 220 kΩ and 100 kΩ resistors produced delays of over 1.1 s in one direction, then 486 ms or 342 ms in another — never the value the RC math predicted.
Methodical scope probing on the timing node revealed the real culprit: a three-way tug-of-war between (a) microscopic parasitic leakage currents in the breadboard rails, (b) capacitor leakage in the polarized timing caps we were using, and (c) the NE555's own input bias current. With high-value resistors, the charge current through R was small enough that the leakage paths could meaningfully fight it — sometimes draining the cap faster than the resistor could fill it, sometimes letting it charge through unexpected paths.
Pivoted to stiffer RC combinations — lower resistance (4.3 kΩ, 47 kΩ) paired with higher capacitance (10 µF up to 100 µF). The lower R floods the timing node with enough current to completely overpower the parasitic leakage, restoring predictable RC behavior. Final breadboard delay locked in just under the 500 ms legal limit.
On a breadboard, ideal RC math is a starting point, not an answer. If you can't make the parasitics negligible, make them irrelevant.
The breadboard phase successfully proved every logic block and the full shutdown chain. Compared to the original RC-only fault detection used on the 2024 vehicle, swapping in the digital oscillator + divider approach cut random hardware failures by ~70% and false triggers by roughly ~90%. The fault path latches reliably, the manual reset behaves correctly, and the timing sits comfortably under the FSAE 500 ms response limit.
The breadboard isn't going on the car. The next step is migrating the validated schematic into Altium and producing a real PCB — solid 12 V and ground planes, controlled-impedance signal traces, properly decoupled rails.
Moving to a real board eliminates the breadboard's contact resistance and the parasitic capacitance between adjacent rails — the same physics that drove BUG-02. The PCB should behave very close to the LTSpice model, finally.
Once the first board is in hand and behaving cleanly, I'll re-tune the RC values to land the delay in the 400 – 475 ms sweet spot — well inside the 500 ms rule, with enough margin to guarantee a clean pass at E-Tech inspection.
Final mounting and integration into the vehicle's high-voltage shutdown loop happens alongside the rest of the 2026 electrical subsystem bring-up with Dallas Formula Racing.
The most useful lesson from this project was learning to trust the scope over the math on real hardware. The RC tug-of-war bug looked like a calculation error for a while — the resistors and caps were right, the formula was right, the delays were still wrong. Once we accepted that the physics on the breadboard didn't match the physics in the textbook, the fix was obvious within an hour. Calibrated skepticism of your simulation is a real engineering tool.
The other thing I'll carry forward is how much of safety-critical design is just removing degrees of freedom. The rule banning code on this device isn't there because engineers don't trust microcontrollers — it's there because adding software adds failure modes that are hard to bound. Building inside hard constraints made every part of this circuit easier to reason about.