400VPack Voltage
ASIL-BSafety Level
±1%SoC Accuracy
CANopenProtocol
PlatformSTM32G474 · ARM Cortex-M4 @ 170 MHz
RTOSFreeRTOS 10.4 with MPU protection
Cell ChemistryNMC Li-ion · 96S4P configuration
CommsCANopen + CAN FD · LIN for aux sensors
SafetyISO 26262 ASIL-B · IEC 61508 SIL-2
BalancingPassive dissipation + Active bypass
EstimationExtended Kalman Filter + Coulomb counting
Project Overview
Designed and implemented the complete BMS firmware stack for a 96S4P (400V) NMC lithium-ion battery pack used in a series-production electric vehicle. The system handles all safety-critical functions from cell monitoring to CAN communication with the vehicle ECU.
Key Challenges
- ASIL-B compliance — Implemented redundant voltage measurement paths, end-to-end CRC checks on all CAN messages, and software-level diagnostics meeting ISO 26262 Part 6 requirements.
- SoC accuracy under dynamic loads — Pure Coulomb counting drifts under temperature variation and aging. Implemented an Extended Kalman Filter that fuses current integration with OCV measurements during relaxation periods, achieving ±1% accuracy across the full SoC range.
- Cell balancing during charging — Passive balancing with intelligent threshold management — only balances when pack is in the CV phase of charging to avoid wasted energy during driving.
SoC Estimation Algorithm
/* EKF predict step — called every 100ms */
void bms_ekf_predict(EKF_t *ekf, float current_A, float dt_s) {
/* State: SoC (0.0 to 1.0) */
ekf->x -= (current_A * dt_s) / PACK_CAPACITY_AS;
ekf->x = fclampf(ekf->x, 0.0f, 1.0f);
ekf->P += ekf->Q; /* Covariance propagation */
}
/* EKF update step — triggered when current < 1A (relaxed) */
void bms_ekf_update(EKF_t *ekf, float v_terminal) {
float v_ocv = ocv_lookup(ekf->x, bms.temp_avg_C);
float H = docv_dsoc(ekf->x); /* Jacobian */
float S = H * ekf->P * H + ekf->R;
float K = ekf->P * H / S; /* Kalman gain */
ekf->x += K * (v_terminal - v_ocv);
ekf->P = (1.0f - K * H) * ekf->P;
}Architecture
- Hardware — STM32G474 with hardware floating-point, paired with LTC6812 AFE for cell voltage and temperature measurement
- RTOS — FreeRTOS with 5 priority levels: Safety Monitor (highest), Cell Sampling, State Estimation, CAN Communication, Diagnostics
- Communication — CANopen DS301/DS305 with 4 TPDOs for telemetry and 2 RPDOs for control commands
- NVM — Coulomb counter and SoH data stored in internal Flash with wear-leveling across 16 sectors
Test & Validation
- HIL testing with National Instruments cRIO simulating cell voltages and temperatures
- 600+ hours of continuous operation validation on battery pack emulator
- Fault injection testing covering 47 fault modes (OV, UV, OT, OC, wire-off, AFE fault)
- MISRA-C 2012 compliance verified with PC-lint Plus