Safety Model

Fail-Safe by Default
Any Violation = System Inhibit

The VCU daemon implements a safety validation model inspired by ISO 26262 ASIL design principles — operating at two independent layers with overlapping coverage.

Decision Flow

Safety Check Pipeline

Every incoming data frame passes three sequential checks. Any failure routes immediately to System Inhibit.

INCOMING DATA WATCHDOG TIMEOUT? YES NO PLAUSIBILITY OK? NO YES CRITICAL FAULT PRESENT? YES SYSTEM INHIBIT NO NORMAL OPERATION Drive / Charge Permitted

Safety Check Definitions

1. Network Watchdog

The daemon maintains a heartbeat timer for all critical network participants. If any node fails to transmit within its expected window, a timeout fault is declared — guarding against silent failures, disconnections, or simulation crashes that would leave the VCU operating on stale data.

2. Integer-Math Plausibility Firewall

VCU and BMS independently verify aggregated readings against the arithmetic sum of sub-node values. The pack voltage must agree with the sum of individual cell voltages within a dynamic tolerance band. Uses strict integer math throughout — floating-point operations have non-deterministic execution time on embedded targets. The tolerance floor adjusts at low state-of-charge to prevent false-positive trips.

3. Critical Fault Detection

Safety faults evaluated under strict priority ordering. Thermal anomalies, LV pack under-voltage, and HV isolation faults occupy the highest tier — immediately overriding any active drive or charge demand. Lower-priority faults may permit degraded operation depending on calibration.

Fail-Safe Default

The system defaults to safe state. Any ambiguity, timeout, or discrepancy routes to System Inhibit. Normal operation is an earned state — not the default.

BMS Firmware Layer

Core Safety Patterns

Four architectural patterns operating at firmware level — independent of and prior to the VCU-layer safety model above.

Capacitive Precharge Enforcement

Before the main positive contactor can close, the firmware verifies that the motor-side bus capacitance has charged to within a defined tolerance of pack voltage. Closing against uncharged capacitors produces destructive inrush current capable of welding the contactor closed or destroying the motor controller's input stage.
Prevents: Contactor Weld

VCU Deadman Switch

In the DRIVE state, the BMS monitors an active heartbeat from the VCU. If the VCU ceases to communicate beyond a defined interval, the BMS unilaterally initiates contactor isolation. The powertrain does not remain energized waiting for a command that may never arrive. A VCU crash, OS hang, or Android process death cannot leave the HV bus live.
Prevents: Runaway HV Bus

Weld Detection at Standby

Before transitioning to PRECHARGE, the firmware samples voltage on the motor side of the main positive contactor. If high voltage is detected while contactors are commanded open, the firmware concludes a contactor has welded shut and transitions to FAULT. This prevents the vehicle appearing powered-off while the HV bus remains live — a serious electrocution risk during maintenance or post-collision.
Prevents: Electrocution Risk

Non-Blocking Relay Sequencing

Mechanical contactors require finite actuation time. The firmware manages this with RTOS tick counters and step-flags rather than blocking delays — allowing contactor sequencing to proceed asynchronously while cell monitoring, thermal checks, and CAN broadcasting continue at full cadence. No safety-critical monitoring is suspended during a contactor transition.
Ensures: Continuous Monitoring
Advanced Safety Mechanisms

Hardware-Level Guarantees

⚛️ Hardware-Level Atomic Faulting

When a critical fault is detected at the embedded level, the BMS executes an atomic latch sequence borrowed from aerospace and industrial control:

Atomic Fault Sequence
// 1. Disable global processor interrupts
__disable_irq();
// 2. Data sync barrier — flush all pending writes
__DSB();
// 3. Physically sever contactor GPIO pins
GPIO_CONTACTOR_OPEN_ALL();
// 4. Log fault code atomically
fault_latch_write(fault_code);

This guarantees hardware isolation and fault logging in a single, uninterruptible operation. No nested interrupt or concurrent task can interfere between contactor isolation and fault logging.

🚨 Rogue Charger Defense

During the CHARGE state, the BMS and VCU actively police the external EVSE rather than trusting it unconditionally. The system does not assume external power electronics will behave within specification.

EVSE CCS Charger OK ✓ OVERCURRENT ✗ BMS / VCU Policing Active I_delivered > I_demanded + defined margin? → ROGUE FAULT SEVER Charge relay severed immediately. No charger acknowledgement required. BMS has unconditional authority.
Fault Hierarchy

Priority Ordering

P1 · CRITICAL
Thermal Anomaly · LV Under-Voltage · HV Isolation Fault
Immediate override of all drive and charge demands. No exceptions.
P2 · HIGH
Sensor Plausibility Fault · Watchdog Timeout · Rogue Charger
System Inhibit triggered. Requires fault clearance to resume.
P3 · DEGRADED
Cell Imbalance · Soft Over-Temperature · Partial Node Loss
May permit degraded operation at reduced power depending on calibration.