Functional Safety Requirements for Battery Management...
Transcript of Functional Safety Requirements for Battery Management...
Lithium Balance A/S
Functional Safety Requirements for Battery
Management Systems in Electric cars
Purpose of a Battery Management System
Source: www.mpoweruk.com
• To protect the battery from working outside its safe operating area, SOA
• To monitor the state of the battery and to calculate secondary data (SOC, SOH, etc)
• To report / communicate battery data (To a vehicle control unit / the driver)
• To control the battery environment (initiate/instigate heating/cooling)
• To perform balancing of the cells to maximize the use of the battery
Focus of this presentation:Focus of this presentation:
Safety Purpose of a BMS: To maintain SOA
Source: www.mpoweruk.com
SOASOA
Safe Operating Area
SOA = f(V, T, I)
Short Intro - What is Functional Safety (FS)?
• FS is a characteristic of any system, where failure avoidance/detection is present
• A good FS implementation tries to keep a system w/ failures
going. For instance by applying a “limp home” strategy:
• FS tries at least to detect and inform about it, if an effect of a failure cannot be avoided
1. Detection measure:
2. Avoidance measure:
or
Flat tyre
Airless tyres
Pressure monitoring
ISO 26262 Road vehicles — Functional safety
• 26262 is a standard for handling functional safety of electrical/electronic circuits in cars, i.e. how to avoid/react on system failure – for cars driving on public roads (not for golf carts etc)
• 26262 defines requirements for management, development, production, operation, service, and decommissioning (the whole life cycle)
• 26262 requires that the fulfilment of all requirements are proven (Documented, reviewed, verified/validated)
• 26262 requires that potential failures are analyzed, and risks specified and quantified
• 26262 defines maximum values for error likelihood depending on the potential effect of errors/hazards (Operates with exposure, controllability, and severity): ASIL A to ASIL D (QM)
• 26262 deals with reaction to system failure, whereas the new standard, ISO/PAS 21448: Road Vehicles — Safety of the Intended Functionality (SOTIF) (Jan 2019) Safety of automated vehicles (AV) deals without a (actual) system failure.
ISO 26262 Management of Functional safety
BMS Concept Phase: ITEM Definition (DRAFT)
BMSBMS
BMS Concept Phase: ITEM Definition
BMS Concept Phase: Functional concept
Safety Goal :Safety Goal :Safety Functions Safety Functions
for maintaining SOA for maintaining SOA
(Functional Safety Requirement, FSR) (Functional Safety Requirement, FSR)
Safety support Safety support
Functions (FSR)Functions (FSR)
BMS Concept Phase: SOA Violation Detection/Avoidance
BMS Product Development: H/W and S/W development
(System level)
• Derive technical safety requirements from Functional Concept
• Make system design/architecture
• Define safety mechanisms – for detection/avoidance of failures
• Safety analysis at system level: FMEA (Failure Mode and Effect Analysis), FAT (Fault tree analysis)
BMS Product Development: H/W and S/W development
( FMEA - System level)
BMS Product Development: H/W and S/W development
(FMEA - System level)
BMS Product Development: H/W and S/W development
(Hardware level)
• Derive Hardware Safety requirements and test specfication
• Make detailed hardware design, HW/SW interface specification and test specification
• Safety analysis at hardware level FMEDA (Failure Mode, Effects and Diagnostics Analysis)
• Safety analysis at hardware level, quantitative FTA
• Make DFA (Dependent Failure Analysis)
BMS Product Development: H/W and S/W development
(FTA -Hardware level)
BMS Product Development: H/W and S/W development
(FMEDA prerequisites - Hardware level)
BMS Product Development: H/W and S/W development
(FMEDA - Hardware level)
BMS Product Development: H/W and S/W development
(Software level)
• Derive Software requirements and test specification
• Make detailed software design and unit test
• Prove Freedom from Interference (Between safety critical parts and non safety critical parts)
• Perform qualification of all SW tools (To prove that they are working correctly)
BMS Product Development: H/W and S/W development
(Test and production release)
• Perform Environmental tests
• Perform EMC Tests
• Perform System Integration Test, including Fault Injection (To invoke safety mechanisms)
• PRODUCTION RELEASE!
Summary & conclusion
• The main purpose of a Battery Management System is to maintain operation of the battery
within its safe operating area (SOA).
• To use a Battery Management System for public road vehicles the system must comply with
the requirements of the ISO 26262 standard, which requires:
• All Hazards and risks must be identified and mitigated, and top-down requirements
must be derived from system level to component level
• The Battery Management System must respond to all failures in a well-defined way by
avoidance or detection measures.
• The failure likelihood of the Battery Management System must be quantified and held
below values corresponding to the risk level!