Functional Safety for High Voltage Applications
Implications of high voltage applications, safety requirements and how to safely monitor 1,500 V in automotive test beds.
Recently, the transition towards electric mobility and thus the demand for new innovations in the mobility sector is one of the most discussed technology topics. Particularly in Germany, a country historically entwined deeply with the automobile, the mobility sector and its carbon footprint was focused in the discussions regarding the latest decision made by the German Federal Constitutional Court. Germany’s highest court ordered the government to further expand a 2019 law aiming to reduce the country’s carbon emissions down to nearly zero by 2050. The electrification of public and individual transport plays a key role in governmental regulations and thus as well in corporate strategies. Additionally, the customer purchase consideration of electric vehicles has increased significantly over recent years, posing remarkable global market potentials. However, there are unresolved concerns that still outweigh the benefits in public perception.
One of the key concerns is the battery and charging situation. Tackling existing limitations, the trend towards higher powertrain voltages is followed by a growing number of companies. In order to increase the efficiency and performance from an electrical point of view, higher voltages are feasible. Also, it allows reducing or maintaining the current levels, which in turn is beneficial for the cable diameter, a cost driver for many HV applications due to material and weight.
800V powertrains are already in use, enabling high driving performance as well as faster charging times. A prominent example is the Porsche Taycan, which can be charged with 800V chargers and charging powers up to 270 kW.
Safety Concepts for High Voltages
There are several risks associated with high voltages. Especially when it comes to testing HV components like batteries, inverters or aggregates, it is crucial to prevent any harm to both the equipment under test and the involved personnel. High voltages can cause severe damage to the human body which shall not be underestimated. Apart from thermal burns caused by the current flow or ventricular fibrillation, the physiological effects can be, for instance, muscle spasms that may prevent the victim from releasing the electrified object. Also, electrolytic degradation of cells or cellular components can lead to poisoning which takes a certain amount of time to be recognizable.
To cope with potential risks resulting from high voltages, special safeguards are crucial for e-mobility companies. Especially if a company has been dealing exclusively with conventional system voltages of 12-42V until now, the safety requirements have to be reviewed and adapted. Being regarded as good engineering practice, the DIN VDE 1000-100 and DIN VDE 0105-100 requirements can be observed.
However, an automated safety solution can play a significant role to ensure the appropriate level of protection. According to ISO 6722-1, DC voltages above 60 V require additional safety measures. Such measures can be, for instance, an access control to equipment under test, preventing electrified parts from being touched.
Functional Safety Automation for HV Applications using Failsafe Technology
In order to safely detect whether the voltage in an application is above or below a certain threshold, it has to be secured that the probability of failure of the monitoring equipment stays adequately low. This is necessary to minimize the risk of the monitoring instrument indicating a low voltage, even though the application is electrified with dangerous voltages. There are several reasons for this to happen. For example, a drop of the supply voltage can lead to malfunctions of microcontrollers or bad reference voltages in the safety equipment. The idea of failsafe instrumentation is not to prevent supply drops from happening, but to ensure that the instrument safely detects the malfunction and sets itself in a safe state, that prevents human and machine from taking any damage.
Defining adequate diagnosis functions and the combination of parameters for a safe shutdown requires sufficient knowledge of the applications and the standards to comply with. At Mütec Instruments, we base our products on the standards that apply for the respective application. For decades, the main functional safety standard of our instruments was IEC 61508, which is mandatory for process industries like chemicals (electrolysis, polymers) and petrochemicals (gas, oil rigs), often in combination with explosion protection by intrinsic safety.
Development according to Functional Safety Standards
Generally, development of automatic protection equipment shall be conducted following a defined structure and with strong focus on minimizing potential risks. The international standard IEC 61508 describes methods how to apply, design, deploy and maintain automatic safety-related systems. In terms of risks, the key assumption is that risk can never be eliminated. The goal is to reduce the risks to a reasonable practicable probability. In order to do so, a so-called V-Model (see fig. 1) is a suitable structure for development.
The model approaches a development project from a top-level view and with every step, the level of detail gets higher. Also, every step of detail requires a definition of test or validation of the current level of design. This minimizes the risk of leaving crucial requirements or subsystem functions untested. Between two steps there is a feedback loop that features a review or iteration to make sure the previously determined requirements are met.
Functional Safety Solution for HV Protection
Our current development project provides a solution to safely monitoring high voltages according to the previously described standards. By having a redundant structure and a variety of internal and external diagnosis features, a performance level of PLe (ISO 13849-1) or SIL 3 (EN IEC 62061) is achieved. One of the current applications are automotive test beds, in which battery simulations or inverter tests are being performed (see fig. 2). The Equipment Under Test (EUT) may not be accessed by the employees during the presence of high voltages. Thus, the access is controlled by doors or by putting a cover or a hood over the UUT. The voltage monitor measures the current voltage with an accuracy of around 1 V, given a maximum range of 1,500 V. Usually, the threshold above which the security measures are in place is set to 50 V.
On the output of the voltage monitor are two redundant safety relays that are connected to the access control, forming the safety-related loop. Many applications also require monitoring of capacitors, even 8-10 minutes after the test bed is shut off. Given the variety of signals to be monitored, the devices’ diagnosis functions are designed to suit both DC and AC signals.
The device can be connected to a control desk via Modbus which makes all data digitally available. This allows displaying different features, such as current measurement values or limit alarm violations, in a software such as Labview.
Scalable Safety Concept
With the ongoing race of pushing beyond limits, the automotive industry is one of the most dynamic industries. For us at Mütec, safety instrumentation shall not be a limiting factor. That’s why we have designed the functional safety concept of our voltage monitors following a scalable approach. Voltages of around 1,200 V have already become reality in many powertrain applications, paving the way to the electrified future.