Li-ion batteries can store large amounts of energy, and they can support high rates of power delivery. They are the preferred energy storage technology for EVs and large battery energy storage systems (BESS). But if not properly managed, they can also present safety hazards. That makes functional safety a critical consideration when designing large Li-ion batteries like those found in EVs and BESS.
This FAQ reviews the importance of maintaining operation in the safe operating area (SOA) of lithium batteries along with the functions of the battery management system (BMS), then briefly presents some basic concepts of functional safety defined in IEC 61508, ISO 26262, and UL 1973, looks at definitions for hazards versus risks and examples of functional safety assessments, and it considers challenges related to the use of combo boxes, multi-core processors and redundant system architectures for BMS.
The main factors that impact Li-ion safety include voltage, current, temperature, and mechanical damage. Mechanical damage is generally related to accidents or misuse of the cells. SOA is primarily a function of V, I, and T with the exact values varying based on the Li-ion chemistry being used (Figure 1). If a Li-ion cell is operated outside the SOA, secondary reactions can start leading to cell degradation and possibly dangerous conditions. At a basic level, a Li-ion battery pack includes sensors for V, I, and T that the BMS uses to keep operating within the SOA. Some packs also include gas detection and other sensors to provide an early warning of dangerous conditions arising from mechanical damage or operation outside the SOA.
While the details vary depending on the cell chemistry, the current is the largest contributor to heat generation in Li-ion cells. High currents can also cause accelerated cell aging. Excessive voltage and overcharging are also safety concerns and can result in cell damage. If a cell is overcharged, side reactions can occur that generate gases and heat that can cause cell venting and in extreme cases, start a fire.
A well-designed BMS and a power monitoring and disconnection unit (PMDU) are central to the safe operation and long lives of Li-ion cells. Large battery packs like those in EVs and BESS are comprised of numerous modules. Every cell in each module must be monitored for cell balancing in addition to concerns with V, I, and T. Due to variations in the manufacturing process, the battery cells in the modules are not perfectly matched, and the BMS is required to support cell balancing. Imbalances between cells cause them to charge at different rates and can result in unsafe conditions in the module. The BMS monitors the charging of individual cells and compensates for imbalances.
In addition to a suite of sensors, the BMS includes several parameter estimation algorithms. Safe and reliable battery pack operation depends on the state of charge (SoC) to determine the remaining capacity in the battery, the state of health (SoH) that estimates the capacity fade experienced by the pack as it’s charged and discharged numerous times, and the state of power (SoP) that indicated the power delivery capability of the battery.
Protection is a primary BMS function. The BMS protects the battery from abusive charging or discharging, excessive temperatures, and other undesirable operating conditions, and it protects people from hazards like burning or exploding batteries. There are different safety standards for different applications. IEC 61508 applies across most applications including BESS and defines Safety Integrity Levels (SILs). ISO 26262 is specific to the automotive industry and defines Automotive Safety Integrity Levels (ASILs). UL 1973 is a mixed bag and applies to battery packs used in light electric rail and stationary applications.
The safety goals defined in the various standards provide an expected performance level of the BMS and overall battery system. They are derived using a safety analysis based on two factors:
- Hazard Identification: A hazard is anything that may cause harm including physical injury or damage to health.
- Risk Analysis and evaluation: A risk analysis quantifies the chance that a person can be harmed by a hazard including an evaluation of how serious the harm could be.
Functional safety can be designed into a battery pack, and its efficacy is confirmed using a variety of management approaches. For example, product development teams should include a specific focus on safety management and implementation of safety specifications; quality assurance teams can perform safety assessments including confirmation reviews and process audits, and a dedicated functional safety competence center can be implemented to support technical reviews and assessments of the process and its results (Figure 2).
Combo box challenges
So-called combo boxes can present additional functional safety challenges. A combo box includes two related but separate subsystems like an onboard charger (OBC) paired with a DC/DC converter. The subsystems are combined to share resources, improve reliability since there are fewer components, and reduce maintenance and cost. For example, the cooling system can be shared by an OBC and DC/DC. That can also improve power/system density and reduce system weight.
The performance and cost benefits are certainly attractive, but it’s not quite that simple. Integrated systems can present challenges related to manufacturability, noise levels, thermal management, and safety. If one or more of the integrated systems are safety critical like the BMS or the drivetrain inverter, the entire combo box can be subject to difficult ASIL demands. Examples of safety-critical systems include certain dc/dc converters, the drivetrain inverter and motor, the battery charge controller, OBC, and BMS (Figure 3).
The required ASIL qualification applies to the software running the system as well as the hardware. To achieve ASIL functional safety, an MCU and an AUTOSAR (AUTomotive Open System ARchitecture) software stack with multi-core support and AUTOSAR basic software (BSW) are needed. AUTOSAR is the global standard for software enabling open E/E system architectures for intelligent mobility platforms like EVs needing high levels of dependability, particularly safety, and security.
Multi-cores for ASIL compliance
The use of multi-core MCUs can be an important aspect of meeting ASIL requirements in combo boxes. AUTOSAR development environments are available that support the integration, testing, and analysis needed for ASIL compliance in multi-core environments. In a combo-box, various functions can be distributed across different cores. In a DC/DC plus OBC combo box, core 0 can be used for DC/DC functions, and core 1 can be dedicated to the OBC. That approach can simplify ASIL compliance with the overall system.
Multi-core implementations can contribute to performance improvement by reducing the load on individual CPUs and consolidating auxiliary functions like communications on a dedicated core. In addition, different subsystems may need different approaches to ASIL compliance that can be more effectively addressed using dedicated cores.
Sensors for cell voltage and temperature are located throughout an EV battery pack and are key components used by the BMS for monitoring battery health and ensuring safe operation. Constant connectivity is needed between the BMS and the sensors since the voltage and temperature information is read on a frequent basis and used by the control processor to ensure that the battery stays in the SOA. In the case of high-voltage battery packs like those found in EVs and BESS, several monitoring ICs are arranged in a stacked architecture with each IC monitoring a group of battery cells.
Problems can occur if connectivity between the battery cells and the IC is lost as a result of an open or short circuit. If that happens, a hazardous event may develop. One solution is the use of bidirectional ring communication and a redundant path for battery voltage measurement that provides fault tolerance and increases pack safety by ensuring continuous monitoring. If an open or short fault occurs in one of the redundant ring communication paths, the MCU can continue communicating with the battery monitoring ICs by switching the direction of the communication to the redundant path that is continuing to operate normally with no loss of temperature or voltage information ensuring uninterrupted safety (Figure 4).
Functional safety is a common challenge faced by designers of EV batteries and BESS installations. Understanding the SOA of specific Li-ion batteries is foundational to achieving safe systems. There are different safety standards for EV batteries and BESS, but the general concepts of hazard identification and risk analysis apply in both cases. Designers can employ a variety of software and hardware approaches to efficiently and cost-effectively meet functional safety requirements.
Critical review and functional safety of a battery management system for large‑scale lithium‑ion battery pack technologies, Springer
Ensuring functional safety in combo-box architecture, Siemens
Functional Safety BMS Design Methodology for Automotive Lithium-Based Batteries, MDPI energies
Functional Safety Considerations in Battery Management for Vehicle Electrification, Texas Instruments
Functional Safety Requirements for Battery Management Systems in Electric cars, Lithium Balance A/S
ISO 26262 Functional Safety for Automotive, Renesas
Overcome the challenges of electric vehicle embedded software development, Siemens