System Architecture

Layered, Loosely Coupled
Six-Layer Stack

Each layer operates in an isolated execution environment. Failures in any single layer — especially the UI — cannot compromise core powertrain safety logic.

Stack Overview

System Layers

# Layer Component Technology Isolation
L1 Embedded Powertrain Pre-Production BMS Firmware (84S HV + 4S LV) Custom C / RTOS Full
L2 Simulation Environment MCU Hardware Emulator Renode Full
L3 Communication Bridge Middleware Protocol Translator Python / Socket I/O Process
L4 Control & Safety VCU Safety Daemon Native C++ / AAOS Full
L5 CCS Charging Interface Linux User-Space SPI Driver + PLC Modem spidev / ISO 15118 Full
L6 Application Dashboard UI VHAL / Android UI One-Way IPC

The UI application layer receives powertrain state via one-way UDP broadcast only. A crash, freeze, or memory corruption in the UI process cannot propagate upstream to affect the VCU safety loop.

Data Flow

Full Architecture Diagram

EMBEDDED POWERTRAIN & SIMULATION BMS FIRMWARE C / RTOS · 32-bit MCU 84S HV Pack + 4S LV Pack MCU EMULATOR Renode Hardware-agnostic sim HV+LV Telemetry CAN Frames COMMUNICATION BRIDGE MIDDLEWARE BRIDGE Stream Parser → CAN Encoder → Socket Injector Encoded CAN AAOS CONTROL LAYER UDP TUNNEL vCAN Interface C++ VCU DAEMON Safety & Logic Engine AAOS Vendor Partition SPI DRIVER CCS / ISO 15118 PLC Linux spidev · user-space Full-duplex SPI IPC / UDP Broadcast (one-way only) HP GREEN PHY PLC Modem · SPI Peripheral PLC Signal over Control Pilot DASHBOARD UI VHAL Mapping Android UI Layer EXTERNAL EVSE CCS Charger ISO 15118 Station EVO vHIL · Full Architecture · Rev 1.3 · 6 Layers · Fully Virtualized SIM
Dual-Pack Topology

Independent LV Architecture

The most significant departure from conventional EV design in the EVO architecture.

❌ Conventional Architecture

HV Traction Pack 84S · ~300V DC-DC Converter HV → 12V 12V Rail (VCU + Coils) HV fails ↓ 12V fails ↓ UNCONTROLLED

HV pack failure causes simultaneous 12V collapse. No controlled shutdown. No fault logging. No contactor sequencing.

✅ EVO Dual-Pack Architecture

84S HV Pack ~300V Traction TRACTION ONLY 4S LV Pack ~12V Aux INDEPENDENT 12V Rail VCU · Coils · Sensors Stays powered ✓ HV fails ✗ Isolated here Control persists →

HV pack failure is fully isolated. LV pack keeps VCU running, coils powered, fault logged. Ordered shutdown executed.

CCS Fast Charging

Linux User-Space SPI Driver

DC Fast Charging via CCS Type 2 demands deterministic, low-latency SPI access — incompatible with the Android HAL's scheduling variability.

Rather than routing PLC modem communication through the standard Android Hardware Abstraction Layer, the EVO VCU daemon implements a direct Linux user-space SPI driver via the native kernel spidev interface.

The SPI bus is configured via ioctl calls at daemon initialization — mode, word length, and clock speed — validated before any charging session begins.

  • Full-Duplex Polling: Non-blocking memory transfers coexist with the safety loop without blocking either.
  • 🎯Determinism by Design: Bypassing the Android HAL eliminates the scheduling variability incompatible with ISO 15118 timing budgets.
  • 🔒Black-Box Abstraction: The CCS subsystem exposes a deterministic control interface to the safety layer — independent of ISO 15118 stack internals.

Charging Guarantees

  • No premature HV enable until parameter negotiation is complete
  • Continuous (not sampled) energy validation throughout the session
  • Unilateral BMS authority to terminate any session at any time
VCU C++ DAEMON · AAOS VENDOR PARTITION CCS CONTROLLER SPI Polling Loop Non-blocking transfers ← Full-duplex SAFETY ENGINE Contactor Logic Fault Handling state LINUX KERNEL spidev · kernel interface ioctl / transfer SPI bus HP GREEN PHY PLC Modem · SPI Peripheral PLC over CP wire → CCS Charger (EVSE)
SPI Init
// Daemon initialization sequence
fd = open("/dev/spidev0.0", O_RDWR);
ioctl(fd, SPI_IOC_WR_MODE, &mode);
ioctl(fd, SPI_IOC_WR_MAX_SPEED_HZ, &speed);
// Validated before any session begins
Power State Machine

BMS Contactor Sequencing

A formally structured machine governing all high-voltage contactor operations. Each transition is conditional, safety-gated, and unidirectional.

INIT relays open STANDBY IGN OFF IGN ON PRECHARGE cap charging V_OK DRIVE HV active CHARGE FAULT precharge timeout heartbeat lost weld detected → Mandatory path ⇢ Fault path No STANDBY → DRIVE skip PRECHARGE is mandatory

Critical constraint: There is no path from STANDBY directly to DRIVE. The PRECHARGE sequence is mandatory, not optional — preventing destructive inrush current that would weld contactors or destroy the motor controller's input stage.