Functional safety in BATTERY MANAGEMENT · PDF fileISO 26262 could lead to an increased cost...
Transcript of Functional safety in BATTERY MANAGEMENT · PDF fileISO 26262 could lead to an increased cost...
Functional safety in
BATTERY MANAGEMENT SYSTEMS
LiTHIUM BALANCE history
2006
2008
2009
2011
2012
2014
2015
Established
DONG investment
First commercial launch
150 customersprojects completed
1st OEM cust. in production
300 projectscompleted
ISO 9001 certified400 projectscompleted
2016
500 projectscompleted
ISO 26262 – where does it come from ?
Automotive Safety Integrity Level (ASIL)
Independent of the technologies implemented in the vehicle
A
B
D
C
S0 No injuries
S1 Light to moderate injuries
S2 Severe to life-threatening (survival probable) injuries
S3 Life-threatening (survival uncertain) to fatal injuries
E0 Incredibly unlikely
E1 Very low probability
E2 Low probability
E3 Medium probability
E4 High probability
C0 Controllable in general
C1 Simply controllable
C2 Normally controllable
C3 Difficult to control or uncontrollable
Determine the ASIL
C1 C2 C3
S1
E1 QM QM QM
E2 QM QM QM
E3 QM QM ASIL A
E4 QM ASIL A ASIL B
S2
E1 QM QM QM
E2 QM QM ASIL A
E3 QM ASIL A ASIL B
E4 ASIL A ASIL B ASIL C
S3
E1 QM QM ASIL A
E2 QM ASIL A ASIL B
E3 ASIL A ASIL B ASIL C
E4 ASIL B ASIL C ASIL D
A
B
D
C
Mapping of ASIL to SIL
The cost of implementation ISO26262
Company’s effort and commitment:• Strong Quality Assurance system• Safety culture within the organization• Implementation and utilization of a functional safety tool• System documentation of the R&D work compliant to the standard• Management commitment & support.
Safety and redundant mechanisms required in the implementation of ISO 26262 could lead to an increased cost of the finished product.
Some factors that might help to keep the cost down • Utilization of Integrated Circuit to reduce components count and test• Innovative use of decomposition rules to maximize the HW utilization• Relocation of all non-safety functions to other sub-system• Volume production of automotive components actually lower the price
ISO 26262 workflow
Concept Phase
System Development
Hardware Development
Software Development
System Verification
ProductionOperation
Software Verification
Hardware Verification
ESS boundary Diagram
BMS BATTERY PACKCONTACTOR
BOX
VCU
Customer Usage,Service
personalEtc.
Influence of
neighboringsystems
Environment(temp,
humidity, dust, Snow ,
water)
HVIL
Dc/Dc
THERMAL MANAGEMENT
CHARGER INVERTOR
SERVICE TOOL
24 VOLT POWER SUPPLY
CHASSIS PROTECTION GROUND
MOUNTING
Signal InterfaceHV interface / Power SupplyPhysical interface / VibrationEMC
ESS P-Diagram
ESS
Request for PowerRequest for ChargeRequest for DischargeHV +HV-12V powerHVIL “ok”
User Decision Software Bugs Defective Batteries Defective ElectronicsFaulty Wiring VibrationWater Ingress Dust IngressHigh Temperature Low TemperatureEMC Isolation Failure
Ignition SoftwareDiagnostic Tool FuseThermal Management Temperature monitoringCurrent Monitor Voltage monitorEnclosure Design Mounting / installationAlgorithm parameters Self DiagnosticsCell Balancing Isolation monitoringData logging
Inputs
Connect Driver InfoContactors Open or CloseDelivering and accepting Power Cells maintained in BalanceError logsWarningsSOC indication
Pre Charge Failure Inrush CurrentWelding of contactorsFailure to open and close contactorsCapacity loss leading to non recoverable battery packRecoverable capacity lossFireExplosionMelting of battery pack and other componentsChemical VentingHigh TemperaturesIncorrect Driver informationMissing Driver informationIn correct self diagnosticsElectrical Shock
Control
Noise
Important parameters for safety
The BMS performs thresholds sensing of Voltage, Current and Temperature AND make evaluation of the situation AND issue action e.g. controls chargers, loads and relays to assure safe operation FAST
Battery Management System
• Temperature• Check point per cell • Check point for other components
• (relays, contactor, DC/DC, wires...)• Reliable data
• Current • Precision• Reliable data
• Voltage• Accuracy • High speed update• Reliable data
SensingCharger currentLoad currentRelay On/Off
Evaluation Action
Lithium Balance Safety Concept
SG1: Prevent battery fires
SG2: Non-battery fires SG3: Toxic fumes
SG4: Maintain drivability SG5: Electrical shock
The safety concept is defined by five safety goals (SG) for the battery management system
The safety goals are split into functional safety requirements that can be managed by firmware or hardware
-H
igh
vo
ltag
e b
atte
ry p
ack
+
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
80% SoC
Load
Schematic example for a BMS set up
voltagetemperatureopen wireleakage
Charger
Current measurement
Contactor
Contactor
Contactor
Cell Monitoring Unit
Master Control Unit
Cell voltage ASIL D
PSUASIL D
Processor + RTOSASIL D
CurrentASIL CCell Temperature
ASIL CContactor control
ASIL C
PSU and processor failure detection
If SPI communication is lost or the Processor signals an Error condition, the PSU will try to recover the Processor. If unsuccessful,it will enter a safe sate and wait for a new ignition signal.
Master Control Unit
PSU
Processor
Power
SPI communication
Error hardware signal
AuxSwitchable power
Ignition
How do we implement safety in our BMS
MCU – Master Control Unit
Dual Channel hall effect sensor inputs.Shunt sensor inputs.Precision check.Check for no drift. Open wire detection.Stuck at value check.Correct channel selection check.MUX decoder verificationDual Core Safety Master Controller
CMU – Cell Monitoring Unit
ADC function verificationADC reference voltage verificationMUX decoder verificationDigital filter verificationOpen wire checkThermal shutdown protectionDigital revision code verificationWatchdog timerBalancing circuit verificationCRC validation on communication.
CPU lock-step architecture, safe island approach.CRC validation of non-volatile memory.CRC validation of internal and external communication.MISRA-C compliant source code.Comprehensive static & dynamic validation of source code.Read/write ECC validation for internal memory.
Precision check.Open wire detection.Check for no drift. Stuck at value check.Correct channel selection check.MUX decoder verificationProven combination of safety critical power supply and safety critical microcontroller.Protection against unstable supply and brownout.External windowed watchdog
Summary
CMU – Cell Monitoring Unit
MCU – Master Control Unit
The n-BMS is designed to have no undetected safety critical singlepoint failures. The detection methods include:
Cell voltage input open wire detection
Cell voltage and temperature measurement self test
Internal and external MUX self test
Power supply with watchdog protection, self test and CRC.
Dual-core Lockstep cycle-by-cycle CPU
CPU build in self test
ECC on CPU FLASH and RAM
CPU Clock and Voltage monitoring
Thank you – Questions
BACK UP SLIDES
Hardware Implementation Balancing Methods
R
R
R
R
Dissipative Balancing
+ simple, compact and cheap to implement+ no waste in stand-by mode+ relative low balancing current required
- No efficiency when dissipation of wasted heat- Speed/current limited - Wasting energy is environmentally incorrect
Nondissipative Balancing
Cell-to-battery; battery-to-cell; cell-to-cell
+ Efficient in transferring energy+ Potentially fast in balancing
- More complex, larger volume, higher cost- Wasted stand-by power- Lower reliability due to complexity- High balancing current required
Balancing algorithms
+ Very simple method+ No error in conversion to SoC+ Accurate cell data for balancing at high SoC+ Cell internal resistance is negligible
- High current may be required for balancing- Higher current will result in higher heat
Voltage based
+ Lower balancing current could be used+ Fewer cycles as balancing are done all the time.
- High more PC power to compute SoC / slower- Requires larger memory to store the SoC- Possibility for inaccuracy when calculation of SoC
SoC history based
192 cells system balancing using voltage based algorithm
Battery Model
The battery model is used to compensate from the ideal conditions to a real worldscenario. The battery model will make the SOC estimation more precise outside theideal operating range. It will also help application performance by dynamically adjusting system boundaries like allowed regen and discharge current.
Coulomb counting SOC estimation
Coulomb counting SoC estimation:
Accuracy depends on:- Sampling rate- Current measuring accuracy- Calibration points- Not well suited for Hybrid applications
Model based SoC estimation
Model based SoC estimation:
- Equivalent circuit model and the Electrochemical battery model
- The Kalman filter is an algorithm for estimating unknown variables definedfrom noisy data input.
- Normally in an SOC model based on input from syncroniced voltage, temperature and current sensors there are 200+ different unknownvariables depending on model type.
- Well suited for Hybrid applicationswithout calibration points. The Model based SoC estimation is also very well suited for battery life optimization.