Professional Documents
Culture Documents
Functional Safety Requirements For Battery Management Systems in Electric Cars
Functional Safety Requirements For Battery Management Systems in Electric Cars
• To monitor the state of the battery and to calculate secondary data (SOC, SOH, etc)
• To report / communicate battery data (To a vehicle control unit / the driver)
Source: www.mpoweruk.com
Safety Purpose of a BMS: To maintain SOA
SOA
Source: www.mpoweruk.com
Short Intro - What is Functional Safety (FS)?
• FS tries at least to detect and inform about it, if an effect of a failure cannot be avoided
or
Flat tyre
ISO 26262 Road vehicles — Functional safety
• 26262 is a standard for handling functional safety of electrical/electronic circuits in cars, i.e. how
to avoid/react on system failure – for cars driving on public roads (not for golf carts etc)
• 26262 defines requirements for management, development, production, operation, service, and
decommissioning (the whole life cycle)
• 26262 requires that the fulfilment of all requirements are proven (Documented, reviewed,
verified/validated)
• 26262 requires that potential failures are analyzed, and risks specified and quantified
• 26262 defines maximum values for error likelihood depending on the potential effect of
errors/hazards (Operates with exposure, controllability, and severity): ASIL A to ASIL D (QM)
• 26262 deals with reaction to system failure, whereas the new standard, ISO/PAS 21448: Road
Vehicles — Safety of the Intended Functionality (SOTIF) (Jan 2019) Safety of automated vehicles
(AV) deals without a (actual) system failure.
ISO 26262 Management of Functional safety
BMS Concept Phase: ITEM Definition (DRAFT)
BMS
BMS Concept Phase: ITEM Definition
BMS Concept Phase: Functional concept
Safety Goal :
Safety Functions
for maintaining SOA
(Functional Safety Requirement, FSR)
Safety support
Functions (FSR)
BMS Concept Phase: SOA Violation Detection/Avoidance
BMS Product Development: H/W and S/W development
(System level)
• Safety analysis at system level: FMEA (Failure Mode and Effect Analysis), FAT (Fault tree analysis)
BMS Product Development: H/W and S/W development
( FMEA - System level)
BMS Product Development: H/W and S/W development
(FMEA - System level)
BMS Product Development: H/W and S/W development
(Hardware level)
• Make detailed hardware design, HW/SW interface specification and test specification
• Safety analysis at hardware level FMEDA (Failure Mode, Effects and Diagnostics Analysis)
• Prove Freedom from Interference (Between safety critical parts and non safety critical parts)
• Perform qualification of all SW tools (To prove that they are working correctly)
BMS Product Development: H/W and S/W development
(Test and production release)
• Perform System Integration Test, including Fault Injection (To invoke safety mechanisms)
• PRODUCTION RELEASE!
Summary & conclusion
• The main purpose of a Battery Management System is to maintain operation of the battery
within its safe operating area (SOA).
• To use a Battery Management System for public road vehicles the system must comply with
the requirements of the ISO 26262 standard, which requires:
• All Hazards and risks must be identified and mitigated, and top-down requirements
must be derived from system level to component level
• The Battery Management System must respond to all failures in a well-defined way by
avoidance or detection measures.
• The failure likelihood of the Battery Management System must be quantified and held
below values corresponding to the risk level!