The rapid evolution of automotive electronics has led to the development and integration of an increasing number of electrical systems and controllers into vehicles. While enabling advanced functionalities, this high level of integration can introduce potential safety hazards. At the core of this automotive electrification is the new energy vehicle, whose burgeoning development has been accompanied by safety incidents such as electric vehicle smoking, fire, and explosion. Apart from inherent design and manufacturing flaws in the battery cells, such catastrophic events are largely attributable to failures within the vehicle’s power battery system, specifically its “brain”—the Battery Management System (BMS).
To enhance the safety performance of new energy passenger vehicles, this article conducts a design study for the power battery system of electric vehicles based on the GB/T 34590-2022 “Road Vehicles – Functional Safety” series of standards. The approach begins from the perspective of function realization at the inception of the BMS design. It involves defining the item, performing hazard analysis and risk assessment based on failure modes within vehicle operation scenarios, determining safety goals, and subsequently deriving the functional safety requirements for the BMS. This methodology aims to eliminate, at the source, potential safety hazards such as vehicle smoke, fire, or explosion caused by the BMS.
1. The Functional Safety Standard: GB/T 34590
GB/T 34590 is the Chinese national standard adapted from ISO 26262. ISO 26262 itself was developed based on IEC 61508, tailored to meet the specific needs of the automotive industry’s electrical/electronic (E/E) systems, considering its unique distributed development model and product lifecycle. The GB/T 34590 series provides a comprehensive reference for all functional safety activities to be performed throughout the safety lifecycle (management, development, production, operation, service, decommissioning) of safety-related systems in series production road vehicles (excluding mopeds).
The standard is partitioned into multiple parts covering different phases of the development lifecycle. GB/T 34590.3-2022, “Part 3: Concept phase,” is particularly crucial as it establishes the functional safety concept at the vehicle level. The core activities in this phase are:
- Item Definition
- Hazard Analysis and Risk Assessment (HARA)
- Functional Safety Concept
2. Functional Safety Concept Phase Activities for the Power Battery System
2.1 Item Definition
The initial step is to define the “item”—a system or array of systems that implements a function at the vehicle level, or part of it. In this study, the Power Battery System (PBS) is defined as the item. The PBS comprises cells, modules, the Battery Management System (BMS), contactors, and other components. Its primary vehicle-level functions can be categorized into two major groups, represented by the functional keyword “Provide”:
- Provide Discharge Function: To supply electrical energy for vehicle propulsion and auxiliary loads.
- Provide Charging Function: To accept and store electrical energy from an external source.
The item definition must detail the item’s functionality, performance, boundary conditions, interfaces, environmental constraints, operational scenarios, and regulatory requirements. For the PBS, this includes specifying voltage/current ranges, temperature limits, communication protocols (e.g., with Vehicle Control Unit, Charger), and physical interactions with the vehicle chassis and thermal management system.
2.2 Hazard Analysis and Risk Assessment (HARA)
The HARA is a systematic process to identify potential hazards caused by malfunctioning behavior of the item and to classify the associated risks.
2.2.1 Identifying Malfunctioning Behavior
First, potential malfunctions of the item’s functions are identified. A common technique is Hazard and Operability (HAZOP) study using guidewords applied to the functional keywords. For the PBS’s “Provide Charging” function, key parameters are charge state (SoC), current, and temperature. An example HAZOP analysis is summarized in the table below.
| Guideword | Interpretation (Applied to “Provide Charging”) | Potential Malfunctioning Behavior |
|---|---|---|
| No Function | Loss of charging capability | Charging function is lost. |
| More Function / Higher | Output exceeds intended value | 1. Charged State (SoC) > intended limit (Overcharge). 2. Charging current > intended limit (Overcurrent). 3. Battery temperature during charge > intended limit (Overtemperature). |
| Less Function / Lower | Output is below intended value | 1. Charged State (SoC) < intended limit (Undercharge). 2. Charging current < intended limit. 3. Battery temperature during charge < intended limit. |
| Reverse Function | Function operates in opposite direction | Not Applicable (NA) for basic charging. |
| Unintended Function | Function occurs without demand | Charging initiates when battery voltage is critically low (post-deep discharge). |
| Stuck Function | Output is fixed at a specific value | 1. Charging current stuck at a high value. 2. Charging current stuck at a low/zero value. |
2.2.2 Identifying Hazards and Operational Scenarios
Each malfunction is analyzed to determine the potential hazard at the vehicle level. For a PBS, typical severe hazards include:
- Thermal runaway leading to vehicle smoke, fire, or explosion.
- Sudden loss of propulsion (for discharge-related failures).
These hazards are then evaluated within specific operational scenarios. Scenarios describe the vehicle’s operational mode and environment, including both correct use and reasonably foreseeable misuse. Key scenarios for a PBS include:
- Normal driving (highway, city, cornering).
- Vehicle stationary, unattended charging.
- Vehicle long-term parking.
- Collision (during and post-collision).
- Maintenance and service scenarios.
2.2.3 Risk Classification and ASIL Determination
For each identified hazard event (combination of malfunction and scenario), three risk parameters are assessed:
- Severity (S): The potential extent of harm to persons (S0: No injuries to S3: Life-threatening/fatal injuries).
- Exposure (E): The probability of the operational scenario (E0: Incredibly low to E4: High probability).
- Controllability (C): The ability of the driver or other persons to avoid harm (C0: Controllable in general to C3: Difficult to control or uncontrollable).
Based on the combination of S, E, and C ratings, an Automotive Safety Integrity Level (ASIL) is assigned to the hazard event. ASIL levels are A, B, C, and D, with D representing the highest integrity requirement. A hazard event with no safety relevance is classified as QM (Quality Management). The following table provides an example HARA for selected charging-related hazard events, considering the worst-case but plausible scenario (unattended charging).
| Hazard ID | Function | Malfunction | Hazardous Event | S | E | C | ASIL |
|---|---|---|---|---|---|---|---|
| HZD_01 | Provide Charging | Overcharge (SoC > limit) | Battery overcharge leads to lithium plating, internal short circuit, thermal runaway, resulting in vehicle fire/explosion. | S3 | E4 | C2 | C |
| HZD_02 | Provide Charging | Charging Overcurrent | Excessive charging current causes battery overheating and thermal runaway, resulting in vehicle fire/explosion. | S3 | E4 | C2 | C |
| HZD_03 | Provide Charging | Charging Overtemperature | High battery temperature during charge triggers thermal runaway, resulting in vehicle fire/explosion. | S3 | E4 | C2 | C |
| HZD_04 | Provide Charging | Charging at critically low voltage | Charging a deeply discharged battery can cause instability and thermal runaway, resulting in vehicle fire/explosion. | S3 | E4 | C2 | C |
*Rationale for E4: Charging is a frequent operation (likely multiple times per month). Rationale for C2: During unattended charging, the driver is not present to intervene, making controllability more difficult.
3. Deriving the Functional Safety Concept for the Battery Management System (BMS)
3.1 Safety Goals
From the HARA results, one or more Safety Goals are defined for each hazardous event with an ASIL rating. The Safety Goal is a top-level safety requirement stating the prevention or mitigation of the hazardous event. For the PBS hazards analyzed above, the core safety goal can be formulated as:
SG_01: Avoid unexpected thermal runaway of the battery system. (ASIL C)
This safety goal originates from the analysis of overcharge, overcurrent, overtemperature, and improper charging conditions. Other safety goals might be derived for hazards related to the “Provide Discharge” function, such as “Avoid unexpected loss of propulsion” (which may have a different ASIL).
3.2 Functional Safety Requirements
In the functional safety concept, functional safety requirements (FSRs) are derived from the safety goals. These FSRs specify the safety functions and their performance needed to achieve the safety goal. They are allocated to preliminary architectural elements, which, for the PBS, is predominantly the BMS. The battery management system (BMS) is thus assigned the responsibility to implement these safety functions.
Based on safety goal SG_01, the following functional safety requirements can be derived for the BMS:
FSR_01: The battery management system (BMS) shall monitor individual cell voltage during all operational phases of the battery system. If the voltage exceeds the overvoltage threshold or falls below the undervoltage threshold, the BMS shall command the power battery system into a safe state (e.g., open contactors) within the Fault Tolerant Time Interval (FTTI). (ASIL C)
FSR_02: The battery management system (BMS) shall monitor the battery temperature during all operational phases. If the temperature exceeds the overtemperature threshold, the BMS shall command the power battery system into a safe state within the FTTI. (ASIL C)
FSR_03: The battery management system (BMS) shall monitor the battery system current during all operational phases. If the current exceeds the overcurrent threshold, the BMS shall command the power battery system into a safe state within the FTTI. (ASIL C)
3.3 Fault Tolerant Time Interval (FTTI) and Timing Constraints
A critical aspect of the functional safety requirement is the Fault Tolerant Time Interval (FTTI). The FTTI is the time span from the occurrence of a fault within the item to the point where a hazardous event could occur if no safety mechanism is activated. The safety mechanism (e.g., voltage monitoring) must detect the fault and execute the safe state transition within this interval. The total latency can be broken down as:
$$ \text{FTTI} \geq T_{\text{diagnosis}} + T_{\text{response}} $$
Where:
- $T_{\text{diagnosis}}$ is the diagnostic test interval plus detection time.
- $T_{\text{response}}$ is the time for the system to activate the safety mechanism and reach the safe state.
For example, consider the overcharge fault leading to thermal runaway. The FTTI defines the critical window. The battery management system (BMS) must complete its overvoltage diagnosis and command the contactors to open before the cell enters an irreversible state leading to thermal runaway. This timeline is conceptually shown below for an overcharge fault.
Time Progression for an Overcharge Fault:
1. $t_0$: Fault occurs (e.g., charger malfunction causes voltage to rise above safe limit).
2. $t_1$: Fault is detected by the BMS safety mechanism ($T_{\text{diagnosis}}$).
3. $t_2$: System reaches safe state (contactors open, charging stopped) ($T_{\text{response}}$).
4. $t_3$: Point of potential hazard (onset of thermal runaway) if no action was taken.
The constraint is: $(t_2 – t_0) < (t_3 – t_0) = \text{FTTI}$.
Determining the precise FTTI for each fault requires detailed analysis of battery cell chemistry and behavior under stress, often derived from tests specified in standards like GB/T 39086-2020.
3.4 Safe State and Functional Safety Architecture
The functional safety concept also defines the “safe state” for the item. For the PBS, the typical safe state is to interrupt the high-voltage energy flow by opening the main contactors, thereby isolating the battery pack. The preliminary safety architecture outlines how the BMS will fulfill the FSRs. This involves:
- Sensing: Redundant or diverse sensors for voltage, temperature, current.
- Processing: Independent monitoring channels or microcontrollers with sufficient diagnostic coverage (e.g., hardware comparators for voltage limits alongside software monitoring).
- Actuation: Control of contactor drivers with feedback monitoring to ensure the safe state is achieved.
The derived FSRs, their ASIL ratings, and the preliminary architectural allocation form the foundation for the next development phase—the system level design. Here, technical safety requirements will be specified for the battery management system (BMS) hardware and software to implement the safety functions with the required integrity.
4. Conclusion
Adhering to the GB/T 34590 (ISO 26262) standard provides a systematic and rigorous framework for developing safe automotive E/E systems. For the critical power battery system in electric vehicles, the concept phase activities—Item Definition, Hazard Analysis and Risk Assessment, and formulation of the Functional Safety Concept—are foundational. By rigorously analyzing potential malfunctions like overcharge, overcurrent, and overtemperature within realistic operational scenarios, top-level safety goals such as “Avoid unexpected thermal runaway” are established. These safety goals, with their associated ASIL C rating, drive the derivation of specific, allocated functional safety requirements for the Battery Management System (BMS). These requirements mandate that the battery management system (BMS) implement timely monitoring and shutdown safeguards within strict fault tolerant time intervals. This structured approach, initiated at the concept level, is essential for embedding functional safety into the BMS design from the outset, thereby mitigating the risk of severe incidents and contributing significantly to the overall safety of electric vehicles.