SUBSYSTEM · DESIGN IN PROGRESS

Subsystem Deep Dive · EVO vHIL Platform

BMS Architecture
Battery Management System

The system responsible for energy control, safety enforcement, and state orchestration within the EVO vHIL platform.

PREVIEW · Full architecture release coming soon

84S

HV Traction Pack

LV Auxiliary Pack

M / S

Master · Slave

ASIL D

Target Integrity

ISO 26262 Part 3 — HARA Output

Safety Goals

Top-level safety requirements derived from Hazard Analysis and Risk Assessment. Each goal carries an ASIL integrity level and governs all downstream technical safety concepts for this subsystem.

SG-BMS-01

Prevent uncontrolled HV energy release

The BMS shall prevent hazardous voltage exposure to passengers and service personnel under all operating conditions, including contactor failure and isolation faults.

SG-BMS-02

Prevent thermal runaway propagation

The BMS shall detect and respond to cell-level thermal anomalies before propagation across the pack, enforcing controlled shutdown within defined time bounds.

SG-BMS-03

Maintain 12V rail survivability

The control system must remain operational even after total traction system failure.

SG-BMS-04

Ensure safe state reachability

Upon detection of any safety-relevant fault, the BMS shall transition to a defined safe state within the fault-tolerant time interval (FTTI) without driver action.

SG-BMS-05

Prevent overcharge and deep discharge

Cell voltage and SoC boundaries shall be enforced in hardware and software. Charging and load contactor control shall be independently monitored for correctness.

SG-BMS-06

Correct state reporting to VCU

SoC, SoH, fault status, and contactor state transmitted to the Vehicle Control Unit over CAN shall be accurate, timely, and detectable as erroneous when corrupted.

Architecture Overview

This is being designed.

Full documentation is under active development. The architecture below will be published in detail — with design rationale traced directly to the safety goals above.

Topics will include

Master / Slave Architecture — distributed cell monitoring hierarchy
Dual-pack architecture — HV Traction (84S) + LV Auxiliary (4S)
12V rail survivability under catastrophic HV loss
Contactor sequencing and pre-charge state machine logic
Fault detection, isolation, and controlled shutdown
Passive and active cell balancing · energy flow design

Designed for systems where failure is not an option.

Documentation Completion In Progress — Rev 0.1

Battery Management System EVO vHIL Platform Architecture Phase ISO 26262 : 2018 - informed

ISO 26262 Part 4 — Planned Work Products

Planned documentation

WP-01

HARA

Hazard Analysis and Risk Assessment — hazardous events, severity, exposure, and controllability classifications across all operating modes.

WP-02

Functional Safety Concept

FSC derived from safety goals — functional safety requirements, safe states, FTTI definition, and emergency operation strategy.

WP-03

Technical Safety Concept

HW/SW allocation, diagnostic coverage targets, freedom from interference, and hardware architectural metrics — SPFM and LFM.

WP-04

State Machine Specification

Formal contactor and BMS state machine — pre-charge, drive, charge, fault, and shutdown states with transition guards and timing constraints.

WP-05

Fault Detection Catalogue

Per-fault entries: detection mechanism, diagnostic coverage class, reaction time, safe state trigger, and CAN fault code mapping to VCU.

WP-06

Balancing & Energy Flow

Passive and active balancing topology, SoC estimation strategy, energy throughput limits, and dual-pack coordination logic.

This is where system-level behavior meets real-world constraints.

Every design decision in this subsystem is bounded by physics, chemistry, and the hard timing guarantees required by ISO 26262 for ASIL D systems. Documentation will expose not just what the system does — but why each constraint exists.