Functional Safety

Considerations in Battery
Management for Vehicle
Electrification

David Tatman
Systems Engineer
Battery Management Systems
Texas Instruments
Li-ion batteries in electric vehicles need to operate
within a limited range of temperatures and operating
voltages for the best performance and safest operation.

de-carbonization targets requires the electrification of the

At a glance
majority of transportation systems. Spreading the costs of
electric vehicle (EV) development and production over the
This paper examines battery monitor increasing numbers of EVs planned means that EV prices are
considerations to meet functional safety falling fast and approaching internal combustion engine (ICE)
standards in electric vehicles. vehicle prices.

Safety considerations for a battery system in a passenger

1 EV requirements for battery

management systems
vehicle are multifaceted. There are important traditional
electrical safety considerations for keeping production
Changing market conditions are workers, owners, mechanics and vehicle recyclers safe from
driving higher standards for safety
high-voltage exposure and shock. There are mechanical
requirements.
considerations for protecting battery cells from puncture
and impact damage and for containing liquids and gases
2 Monitoring battery cell
voltage and temperature that could leak or vent from the cells. There are thermal
safety considerations in the battery pack design, since
High-accuracy battery monitors help
ensure the most rigorous functional Li-ion batteries operate safely and most efficiently in a more
safety standards are met. restricted temperature range than temperatures present in

3
an ICE vehicle. There are functional safety considerations
Designing for redundancy for the electrical system that maintains the battery in a safe
Redundant communication protocols operating range while the vehicle is in use or charging.
provide fault tolerance and ensure the
state of health and safety of the battery Monitoring battery cell voltage and
pack. temperature
Li-ion batteries (as shown in Figure 1) need to operate within
a limited range of temperatures and operating voltages for
EV requirements for battery management
the best performance and safest operation. This range is
systems
unique for each type of Li-ion battery chemistry. Outside of
The world is in the midst of a transportation revolution. this range, undesirable side reactions may occur within the
Advances in lithium-ion (Li-ion) battery technology in the battery that can lead to excessive self-heating and perhaps
past two decades have made it possible to envision a future longer-term, internal electrical shorts. Excessive self-heating
where electricity is stored in battery packs that power cars, and internal shorts can be a first step to cascading thermal
motorcycles, trucks and buses. runaway and an eventual safety hazard. In order to maintain
In parallel, de-carbonization of the energy economy is a battery packs in that safe operating range, battery monitoring
high priority in many parts of the world. It is much easier to application-specific integrated circuits (ASICs) measure and
reduce emissions a vehicle’s energy source at the power transmit information about voltage, temperature and current
grid generation level than at the vehicle level. Achieving flow to a battery control unit.

Functional Safety Considerations in Battery Management for 2 September 2020

Vehicle Electrification
 for the development of safety-related systems for passenger
vehicles, trucks, buses and motorcycles.

In some automotive systems, a loss of functionality cannot

lead to a hazard. In the case of a malfunction within the
system, the safe state for the system is for the electronics to
switch off and the driver to be alerted through a dashboard
light or other indicator. However, in some systems a
malfunction or the loss of functionality can potentially lead to
a hazardous event. For systems that cannot simply switch
off, safety goals may include specifying a “safety-related
availability” requirement. In that case, a tolerance for some

Figure 1. A battery pack in an EV. types of faults in the system for a period of time may be
required to avoid hazardous events.

In an electrified passenger vehicle, there may be 16, 96 Safety-related availability in this context is the system’s ability
or 128 battery cells or more to measure. In a commercial to provide safety functionality for some specified period of
vehicle, the total cells may be double those amounts. time even in the presence of defined fault conditions. In
Such large systems have many printed circuit board other words, the safety system has to tolerate a fault for
(PCB) connections, where faults can occur between the a period of time. This fault tolerance enables the system
battery and the monitoring ASIC, or in the communication to continue functioning longer with an acceptable level of
connections between ASICs. The sensor input may open safety. Part 10, Section 12 of ISO 26262 provides guidance
or communication may be lost. Without the necessary for system developers regarding safety-related availability
measurements and communications, the battery control requirements.
system is “blind” and can no longer manage the state of the Returning to the battery monitoring subsystem, battery cell
batteries in the pack. voltage and temperature sense locations connect to the
Detecting and addressing malfunctions like a communication battery-monitoring ASIC. The measurement information is
fault or battery cell to sensor connection faults avoiding frequently read by the control processor to calculate the
hazardous events is a part of functional safety. current state of the battery and to help ensure that operation
remains within a safe range. For high-voltage battery
Functional safety is the part of comprehensive safety related
packs, the monitoring ASICs are arranged in a stacked
to the prevention and mitigation of potential hazardous
configuration, with each ASIC measuring multiple cells in
events caused by the malfunctioning behavior of electronic
parallel. Commands and data are streamed from ASIC to
systems. In the automotive industry, the International
ASIC using an isolated communication interface, as shown
Organization for Standardization (ISO) 26262 series of
in Figure 2.
standards for road vehicle functional safety defines the
current state of the art and functional safety best practices

Functional Safety Considerations in Battery Management for 3 September 2020

Vehicle Electrification
 Battery modules
+ + + + + + + + + + + + + + + +

12 V

Balance and filter components Balance and filter components

DC-DC

To CAN MCU BQ79600 BQ7961x BQ7961x

bus NFAULT NFAULT
UART or UART or
SPI SPI
COML COMH COML COMH COML COMH

Isolation Capactive
components level-shifted differential interface

Figure 2. A battery monitoring and communication configuration.

Designing for redundancy redundant battery voltage measurement path that can
provide fault tolerance for these types of faults, enabling the
Should an open circuit occur between the battery cell input
system to continue monitoring the state of health and safety
pin and the PCB while driving, a loss of functionality of the
of the battery pack.
battery monitoring system can occur and potentially lead to
a hazardous event. The Texas Instruments BQ79606A-Q1 Figure 3 illustrates the BQ79616-Q1 connection using
and BQ79616-Q1 families of battery monitoring ASICs a bidirectional ring configuration. In this configuration, if
includes features for ring communication, as well as a there is a fault, open or short between two of the battery

Battery modules
+ + + + + + + + + + + + + + + +

12 V

Balance and filter components Balance and filter components

DC-DC

To CAN MCU BQ79600 BQ7961x BQ7961x

bus NFAULT NFAULT
UART or UART or
SPI SPI
COML COMH COML COMH COML COMH

Isolation Capactive
components level-shifted differential interface

Optional ring connection

Figure 3. A bidirectional ring configuration with the BQ79616.

Functional Safety Considerations in Battery Management for 4 September 2020

Vehicle Electrification
monitoring ASICs, the control processor will continue
Device
communicating with all of the battery monitoring ASICs
switching the direction of messaging backward and forward.
While normal communication is faulted, the system can RVC VC
maintain availability using the fault tolerance of the ring
VC ADC
communication feature – with no loss of voltage and + CB
RCB
temperature information coming from the battery modules.

Another feature in TI’s BQ79606-Q1 and BQ79616-Q1 is the RVC

redundant analog-to-digital converter (ADC) measurement VC
CB ADC
path using cell balance input pins connected to the battery RCB CB
+
cell. Figure 4 illustrates the connection from the battery
cell to the VC and CB input pins. Normally, the CB pins RVC
enable a DC current load on the cell in order to balance VC
the voltages between cells. During normal measurement CB
RCB
operation, both the main VC ADC path and redundant CB
ADC path connect to the battery cell and can measure the
battery cell voltage. With this feature, if there is a fault like an
Figure 4. Connection from the battery cell to the VC and CB inputs.
open VC pin connection to the RCB or an open RVC resistor,
the CB ADC path will continue measuring the battery cell Summary
voltage. While normal voltage measurement is faulted, the
Much like the beginning of the transition from animal-drawn
system can maintain availability using the fault tolerance of
wagons to motors in the early 20th century, today there are
the redundant ADC path feature – with no loss of voltage
a wide range of vehicle solutions being developed to provide
information coming from the battery modules.
the most benefit to society. For electrified transportation
These ring communication and redundant path features, systems, safety requirements are essential.
along with a wide range of diagnostic safety mechanisms for
detecting communication and connection faults during EV Additional resources:
battery cell voltage and temperature sensing, are included • TI’s functional safety technology page
in both the TI BQ79606-Q1 and BQ79616-Q1 device family
• BQ79606A-Q1 Daisy Chain Communication Timing
for systematic functional safety capability up to Automotive
Safety Integrity Level (ASIL) D. • BQ7961x-Q1 data sheet

Important Notice: The products and services of Texas Instruments Incorporated and its subsidiaries described herein are sold subject to TI’s standard terms and conditions of sale.
Customers are advised to obtain the most current and complete information about TI products and services before placing orders. TI assumes no liability for applications assistance,
customer’s applications or product designs, software performance, or infringement of patents. The publication of information regarding any other company’s products or services does not
constitute TI’s approval, warranty or endorsement thereof.

All trademarks are the property of their respective owners.

© 2020 Texas Instruments Incorporated XXXX000

 IMPORTANT NOTICE AND DISCLAIMER

TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATASHEETS), DESIGN RESOURCES (INCLUDING REFERENCE
DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES “AS IS”
AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD
PARTY INTELLECTUAL PROPERTY RIGHTS.
These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate
TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable
standards, and any other safety, security, or other requirements. These resources are subject to change without notice. TI grants you
permission to use these resources only for development of an application that uses the TI products described in the resource. Other
reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third
party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims,
damages, costs, losses, and liabilities arising out of your use of these resources.
TI’s products are provided subject to TI’s Terms of Sale (www.ti.com/legal/termsofsale.html) or other applicable terms available either on
ti.com or provided in conjunction with such TI products. TI’s provision of these resources does not expand or otherwise alter TI’s applicable
warranties or warranty disclaimers for TI products.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2020, Texas Instruments Incorporated