Functional safety in

BATTERY MANAGEMENT SYSTEMS

LiTHIUM BALANCE history

2006

2008

2009

2011

2012

2014

2015

Established

DONG investment

First commercial launch

150 customersprojects completed

1st OEM cust. in production

300 projectscompleted

ISO 9001 certified400 projectscompleted

2016

500 projectscompleted

ISO 26262 – where does it come from ?

Automotive Safety Integrity Level (ASIL)

Independent of the technologies implemented in the vehicle

A

B

D

C

S0 No injuries

S1 Light to moderate injuries

S2 Severe to life-threatening (survival probable) injuries

S3 Life-threatening (survival uncertain) to fatal injuries

E0 Incredibly unlikely

E1 Very low probability

E2 Low probability

E3 Medium probability

E4 High probability

C0 Controllable in general

C1 Simply controllable

C2 Normally controllable

C3 Difficult to control or uncontrollable

Determine the ASIL

C1 C2 C3

S1

E1 QM QM QM

E2 QM QM QM

E3 QM QM ASIL A

E4 QM ASIL A ASIL B

S2

E1 QM QM QM

E2 QM QM ASIL A

E3 QM ASIL A ASIL B

E4 ASIL A ASIL B ASIL C

S3

E1 QM QM ASIL A

E2 QM ASIL A ASIL B

E3 ASIL A ASIL B ASIL C

E4 ASIL B ASIL C ASIL D

A

B

D

C

Mapping of ASIL to SIL

The cost of implementation ISO26262

Company’s effort and commitment:• Strong Quality Assurance system• Safety culture within the organization• Implementation and utilization of a functional safety tool• System documentation of the R&D work compliant to the standard• Management commitment & support.

Safety and redundant mechanisms required in the implementation of ISO 26262 could lead to an increased cost of the finished product.

Some factors that might help to keep the cost down • Utilization of Integrated Circuit to reduce components count and test• Innovative use of decomposition rules to maximize the HW utilization• Relocation of all non-safety functions to other sub-system• Volume production of automotive components actually lower the price

ISO 26262 workflow

Concept Phase

System Development

Hardware Development

Software Development

System Verification

ProductionOperation

Software Verification

Hardware Verification

ESS boundary Diagram

BMS BATTERY PACKCONTACTOR

BOX

VCU

Customer Usage,Service

personalEtc.

Influence of

neighboringsystems

Environment(temp,

humidity, dust, Snow ,

water)

HVIL

Dc/Dc

THERMAL MANAGEMENT

CHARGER INVERTOR

SERVICE TOOL

24 VOLT POWER SUPPLY

CHASSIS PROTECTION GROUND

MOUNTING

Signal InterfaceHV interface / Power SupplyPhysical interface / VibrationEMC

ESS P-Diagram

ESS

Request for PowerRequest for ChargeRequest for DischargeHV +HV-12V powerHVIL “ok”

User Decision Software Bugs Defective Batteries Defective ElectronicsFaulty Wiring VibrationWater Ingress Dust IngressHigh Temperature Low TemperatureEMC Isolation Failure

Ignition SoftwareDiagnostic Tool FuseThermal Management Temperature monitoringCurrent Monitor Voltage monitorEnclosure Design Mounting / installationAlgorithm parameters Self DiagnosticsCell Balancing Isolation monitoringData logging

Inputs

Connect Driver InfoContactors Open or CloseDelivering and accepting Power Cells maintained in BalanceError logsWarningsSOC indication

Pre Charge Failure Inrush CurrentWelding of contactorsFailure to open and close contactorsCapacity loss leading to non recoverable battery packRecoverable capacity lossFireExplosionMelting of battery pack and other componentsChemical VentingHigh TemperaturesIncorrect Driver informationMissing Driver informationIn correct self diagnosticsElectrical Shock

Control

Noise

Important parameters for safety

The BMS performs thresholds sensing of Voltage, Current and Temperature AND make evaluation of the situation AND issue action e.g. controls chargers, loads and relays to assure safe operation FAST

Battery Management System

• Temperature• Check point per cell • Check point for other components

• (relays, contactor, DC/DC, wires...)• Reliable data

• Current • Precision• Reliable data

• Voltage• Accuracy • High speed update• Reliable data

SensingCharger currentLoad currentRelay On/Off

Evaluation Action

Lithium Balance Safety Concept

SG1: Prevent battery fires

SG2: Non-battery fires SG3: Toxic fumes

SG4: Maintain drivability SG5: Electrical shock

The safety concept is defined by five safety goals (SG) for the battery management system

The safety goals are split into functional safety requirements that can be managed by firmware or hardware

-H

igh

vo

ltag

e b

atte

ry p

ack

+

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

80% SoC

Load

Schematic example for a BMS set up

voltagetemperatureopen wireleakage

Charger

Current measurement

Contactor

Contactor

Contactor

Cell Monitoring Unit

Master Control Unit

Cell voltage ASIL D

PSUASIL D

Processor + RTOSASIL D

CurrentASIL CCell Temperature

ASIL CContactor control

ASIL C

PSU and processor failure detection

If SPI communication is lost or the Processor signals an Error condition, the PSU will try to recover the Processor. If unsuccessful,it will enter a safe sate and wait for a new ignition signal.

Master Control Unit

PSU

Processor

Power

SPI communication

Error hardware signal

AuxSwitchable power

Ignition

How do we implement safety in our BMS

MCU – Master Control Unit

Dual Channel hall effect sensor inputs.Shunt sensor inputs.Precision check.Check for no drift. Open wire detection.Stuck at value check.Correct channel selection check.MUX decoder verificationDual Core Safety Master Controller

CMU – Cell Monitoring Unit

ADC function verificationADC reference voltage verificationMUX decoder verificationDigital filter verificationOpen wire checkThermal shutdown protectionDigital revision code verificationWatchdog timerBalancing circuit verificationCRC validation on communication.

CPU lock-step architecture, safe island approach.CRC validation of non-volatile memory.CRC validation of internal and external communication.MISRA-C compliant source code.Comprehensive static & dynamic validation of source code.Read/write ECC validation for internal memory.

Precision check.Open wire detection.Check for no drift. Stuck at value check.Correct channel selection check.MUX decoder verificationProven combination of safety critical power supply and safety critical microcontroller.Protection against unstable supply and brownout.External windowed watchdog

Summary

CMU – Cell Monitoring Unit

MCU – Master Control Unit

The n-BMS is designed to have no undetected safety critical singlepoint failures. The detection methods include:

Cell voltage input open wire detection

Cell voltage and temperature measurement self test

Internal and external MUX self test

Power supply with watchdog protection, self test and CRC.

Dual-core Lockstep cycle-by-cycle CPU

CPU build in self test

ECC on CPU FLASH and RAM

CPU Clock and Voltage monitoring

Thank you – Questions

BACK UP SLIDES

Hardware Implementation Balancing Methods

R

R

R

R

Dissipative Balancing

+ simple, compact and cheap to implement+ no waste in stand-by mode+ relative low balancing current required

- No efficiency when dissipation of wasted heat- Speed/current limited - Wasting energy is environmentally incorrect

Nondissipative Balancing

Cell-to-battery; battery-to-cell; cell-to-cell

+ Efficient in transferring energy+ Potentially fast in balancing

- More complex, larger volume, higher cost- Wasted stand-by power- Lower reliability due to complexity- High balancing current required

Balancing algorithms

+ Very simple method+ No error in conversion to SoC+ Accurate cell data for balancing at high SoC+ Cell internal resistance is negligible

- High current may be required for balancing- Higher current will result in higher heat

Voltage based

+ Lower balancing current could be used+ Fewer cycles as balancing are done all the time.

- High more PC power to compute SoC / slower- Requires larger memory to store the SoC- Possibility for inaccuracy when calculation of SoC

SoC history based

192 cells system balancing using voltage based algorithm

Battery Model

The battery model is used to compensate from the ideal conditions to a real worldscenario. The battery model will make the SOC estimation more precise outside theideal operating range. It will also help application performance by dynamically adjusting system boundaries like allowed regen and discharge current.

Coulomb counting SOC estimation

Coulomb counting SoC estimation:

Accuracy depends on:- Sampling rate- Current measuring accuracy- Calibration points- Not well suited for Hybrid applications

Model based SoC estimation

Model based SoC estimation:

- Equivalent circuit model and the Electrochemical battery model

- The Kalman filter is an algorithm for estimating unknown variables definedfrom noisy data input.

- Normally in an SOC model based on input from syncroniced voltage, temperature and current sensors there are 200+ different unknownvariables depending on model type.

- Well suited for Hybrid applicationswithout calibration points. The Model based SoC estimation is also very well suited for battery life optimization.