BMS Safety Solution Based on ISO 26262

As the complexity of automotive electronic software and hardware continues to increase, so does the risk of system failure and random hardware failures.

The release of ISO 26262, an industry standard for automotive electronics, provides a deeper understanding of functional safety in vehicle design, offering a reliable process for assessing and mitigating these risks.

Introduction to BMS

BMS stands for Battery Management System, which refers to the management system for batteries. 

BMS plays a critical role in HEV/EV applications. In a broad sense, BMS includes the management of traditional 12/24V lead-acid batteries. However, the focus of this discussion is primarily on the management of power batteries in HEV/EV applications, ranging from 48V mild hybrids to fully electric vehicles with voltages exceeding 500V, all of which can be covered by BMS solutions.

Generally, a BMS consists of a master control unit and multiple slave control units. The slave control units directly connect to the battery pack, collecting data such as battery voltage, current, and temperature. The master control unit manages multiple slave control units through communication methods such as CAN bus or Daisy Chain.

In response to the battery management requirements of electric vehicles, BMS functionality includes SOC/SOH estimation, fault diagnosis, balancing control, thermal management, and charging management. SOC refers to State of Charge, which measures the remaining battery capacity and is crucial for estimating the vehicle's driving range.

Fault diagnosis is used to determine the current state of the battery and timely identify abnormal conditions such as overvoltage, undervoltage, and overtemperature during charging and discharging processes, which helps prevent accidents. Balancing control aims to eliminate capacity differences between individual battery cells, ensuring consistency and prolonging battery life.

Overview of BMS Functional Safety Development Process

The functional safety standard defined by ISO 26262 covers the management, development, production, operation, service, and decommissioning phases of a product, encompassing the entire product lifecycle. 

During the product development, the key stages of concern are the concept, system-level development, hardware development, and software development.

During the concept stage of functional safety, system hazard analysis and risk assessment are conducted to determine the Automotive Safety Integrity Level (ASIL) for vehicle safety integrity.

ISO 26262 specifies four safety levels from A to D, with D being the highest level and corresponding to the most stringent requirements. Generally, mainstream automakers consider BMS should meet at least ASIL-C safety level. 

Once the safety level ASIL is determined, safety goals are established, and corresponding safety requirements and safety mechanisms are proposed, along with possible decomposition of functional safety levels when necessary.

ISO 26262 provides three metrics: Single Point Fault Metric (SPFM), Latent Fault Metric (LFM), and Probabilistic Metric for Hardware Failures (PMHF), which are used to evaluate the system's safety level.

For example, in the development process of a BMS, hazard analysis identifies events such as overvoltage, undervoltage, overtemperature, and overcurrent. 

Overvoltage can be a severe event, especially if the battery is subjected to prolonged overcharging, which can lead to performance degradation, irreversible damage, battery deformation, and leakage.

BMS Solution in Compliance with Functional Safety

A comprehensive battery management system solution includes microcontrollers (MCUs), analog front-end battery controller ICs, isolated network high-speed transceivers, and system basic chips (SBCs).

With the BMS solution, customers can easily implement a battery management system based on CAN networks or Daisy Chain. 

We offer a variety of devices that comply with the ISO 26262 standard. The master control unit MPC574xP achieves ASIL-D safety level, the analog front-end battery controller MC33771 achieves ASIL-C safety level, and the System Basic Chip (SBC) FS45/65 achieves ASIL-D safety level. 

By adopting this solution, customers can simplify their software and hardware designs, facilitating the achievement of ASIL-C/D safety levels.

Furthermore, we provide reference designs that comply with functional safety, greatly accelerating customers' development of BMS products that meet the ISO 26262 standard.

The BMS solution supports various network topologies, including centralized, distributed Daisy Chain, centralized, and distributed CAN network structures. The Daisy Chain network significantly reduces the BOM (Bill of Materials) cost but is limited by communication distance.

Currently, in most buses, communication is primarily based on the CAN bus. The BMS solution provided by NXP offers great flexibility to meet the diverse needs of different customers.

Functional safety is a trend in the automotive electronics industry and a strength of BMS solutions. We are capable of providing a complete set of BMS solutions to help customers simplify functional safety design and ensure that their BMS products comply with the ISO 26262 standard.