ISO 26262-6: Fault Tolerant Time Interval (FTTI) Calculations
| Field | Value |
|---|---|
| Document ID | FOX-SAF-FTTI-001 |
| Applicable Standard | ISO 26262:2018 Part 6 — Product Development: Software Level |
| System | foxBMS 2 Battery Management System v1.10.0 |
| Item Definition | Li-ion BMS: 1 string, 1 module, 18s1p, NMC cells 3500 mAh |
| Date | 2026-03-21 |
| Status | Released for Review |
| Related Documents | FOX-SAF-HARA-001, FOX-SAF-FSC-001, FOX-SAF-TSC-001 |
1 Scope
This document provides detailed FTTI calculations for every FATAL-severity diagnostic entry in the foxBMS 2 diag_cfg.c. Each calculation decomposes the total response time into its constituent phases and compares the result against the physical process time for the corresponding hazard.
2 FTTI Calculation Method
2.1 General Formula
FTTI = T_detection + T_reaction + T_actuator
2.2 Component Definitions
| Component | Formula | Description |
|---|---|---|
| T_detection | threshold_count × task_period | Time to accumulate the configured number of consecutive diagnostic events. The task period is 10 ms for SOA checks (running in BMS_Trigger via 10 ms RTOS task) and 1 ms for system-level checks. |
| T_reaction | delay_ms (from diag_cfg.c) | Additional debounce/confirmation time after the threshold counter is reached. During this period, the diagnostic condition must persist to confirm the fault. |
| T_actuator | T_state_machine + T_contactor_mechanical | Time for BMS state machine to process ERROR transition (max 10 ms — one BMS_Trigger cycle) plus contactor mechanical opening time (20–50 ms depending on contactor model). |
2.3 Assumptions
| Parameter | Value | Justification |
|---|---|---|
| SOA check task period | 10 ms | BMS_Trigger runs in 10 ms RTOS task |
| System-level check task period | 1 ms | System monitoring runs in 1 ms RTOS task |
| BMS state machine response | 10 ms | One BMS_Trigger cycle in worst case |
| Contactor mechanical open time | 50 ms | Conservative automotive contactor specification |
| SPS driver command latency | <1 ms | SPI transaction time (negligible) |
| Total T_actuator | 50 ms | 10 ms (SM) + <1 ms (SPS) + ~40 ms (mechanical) ≈ 50 ms |
3 FTTI Calculations — Battery Safety Diagnostics
3.1 DIAG_ID_CELL_VOLTAGE_OVERVOLTAGE_MSL
| Parameter | Value |
|---|---|
| Safety Goal | SG-01 (ASIL D) |
| Cell Limit | 2800 mV |
| Threshold | 50 consecutive events |
| Task Period | 10 ms |
| Delay | 200 ms |
| Callback | DIAG_ErrorOvervoltage |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 50 × 10 = 500 | 500 |
| T_reaction (delay_ms) | 200 | 700 |
| T_actuator | 50 | 750 |
| Total FTTI | 750 |
Physical Process Time Analysis:
The hazardous consequence of cell overvoltage is lithium plating leading to dendrite formation and internal short circuit. The timeline depends on the degree of overcharge:
| Condition | Estimated Process Time |
|---|---|
| Cell at 2800 mV (just above limit for NMC) | >600 s (>10 min) — plating onset at moderate overcharge is slow |
| Cell at 3000 mV (significant overcharge) | ~120–300 s — accelerated plating |
| Cell at 4000 mV (severe overcharge) | ~30–60 s — rapid gas generation and plating |
| Cell at 5000 mV (extreme — electrolyte decomposition) | ~5–15 s — violent reaction |
Note: With a 2800 mV MSL on cells with 2500 mV nominal, the overcharge margin is 300 mV (~12%). At typical charge rates (0.5C–1C), the voltage rise rate is ~1–5 mV/s. In the worst case (5 mV/s rise), the voltage exceeds 2800 mV and reaches 2804 mV by the time the FTTI expires (0.75 s × 5 mV/s = 3.75 mV additional overshoot). This is well within the safe margin.
Verdict: ADEQUATE — FTTI (750 ms) is at least 40× shorter than the shortest physical process time (~30 s).
3.2 DIAG_ID_CELL_VOLTAGE_UNDERVOLTAGE_MSL
| Parameter | Value |
|---|---|
| Safety Goal | SG-02 (ASIL C) |
| Cell Limit | 1500 mV |
| Threshold | 50 consecutive events |
| Task Period | 10 ms |
| Delay | 200 ms |
| Callback | DIAG_ErrorUndervoltage |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 500 | 500 |
| T_reaction | 200 | 700 |
| T_actuator | 50 | 750 |
| Total FTTI | 750 |
Physical Process Time Analysis:
Copper dissolution from the anode current collector begins at voltages below ~1.5 V (vs. Li/Li+). At 1500 mV cell voltage, the anode potential is approximately at the copper dissolution threshold. Significant copper dissolution (enough to form dendrites on subsequent charge) requires:
- Sustained undervoltage for >10 minutes at moderate discharge rates
- At 1500 mV, the cell is near end-of-discharge; further voltage drop under load is rapid (steep discharge curve), but copper dissolution is an electrochemical process with time constants of minutes
Verdict: ADEQUATE — FTTI (750 ms) << copper dissolution onset (~10 min).
3.3 DIAG_ID_TEMP_OVERTEMPERATURE_CHARGE_MSL
| Parameter | Value |
|---|---|
| Safety Goal | SG-06 (ASIL C) |
| Temp Limit | 45 °C (charge mode) |
| Threshold | 500 consecutive events |
| Task Period | 10 ms |
| Delay | 1000 ms |
| Callback | DIAG_ErrorOvertemperatureCharge |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 500 × 10 = 5000 | 5000 |
| T_reaction | 1000 | 6000 |
| T_actuator | 50 | 6050 |
| Total FTTI | 6050 (6.05 s) |
Physical Process Time Analysis:
From 45 °C to thermal runaway onset (self-heating temperature, ~130 °C for NMC):
| Condition | Temp Rise Rate | Time to TR Onset |
|---|---|---|
| Cell at 1C charge, adiabatic | ~0.3 °C/s | ~280 s (~4.7 min) |
| Cell at 2C charge, adiabatic | ~1.2 °C/s | ~70 s (~1.2 min) |
| Cell at 1C charge, with cooling (typical) | ~0.05 °C/s | ~1700 s (~28 min) |
| External fire exposure | ~5–10 °C/s | ~8–17 s |
The FTTI of 6.05 s assumes continued current flow. Once contactors open (safe state achieved), the current source of heating is removed. Residual temperature from thermal inertia does not increase by more than ~0.1 °C after current cutoff.
For external fire exposure: the BMS temperature monitoring cannot protect against external fire — this is a vehicle-level hazard addressed by fire suppression and occupant escape systems.
Verdict: ADEQUATE — FTTI (6.05 s) << thermal runaway onset from 45 °C (~70 s worst case under charge current).
3.4 DIAG_ID_TEMP_OVERTEMPERATURE_DISCHARGE_MSL
| Parameter | Value |
|---|---|
| Temp Limit | 55 °C (discharge mode) |
| Threshold | 500 consecutive events |
| Task Period | 10 ms |
| Delay | 1000 ms |
Calculation: Identical structure to Section 3.3.
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 5000 | 5000 |
| T_reaction | 1000 | 6000 |
| T_actuator | 50 | 6050 |
| Total FTTI | 6050 (6.05 s) |
Physical Process Time: From 55 °C to TR onset (~130 °C): the margin is 75 °C. At worst-case adiabatic discharge (2C): ~1.2 °C/s → ~62 s. At typical discharge with cooling: ~0.3 °C/s → ~250 s.
Verdict: ADEQUATE — FTTI (6.05 s) << ~62 s worst case.
3.5 DIAG_ID_TEMP_UNDERTEMPERATURE_CHARGE_MSL
| Parameter | Value |
|---|---|
| Safety Goal | SG-07 (ASIL B) |
| Temp Limit | -20 °C |
| Threshold | 500 consecutive events |
| Task Period | 10 ms |
| Delay | 1000 ms |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 5000 | 5000 |
| T_reaction | 1000 | 6000 |
| T_actuator | 50 | 6050 |
| Total FTTI | 6050 (6.05 s) |
Physical Process Time: Lithium plating at -20 °C during 0.5C charge: onset ~60–120 s. At 0.1C: onset ~300–600 s. Temperature does not change significantly in 6 s due to thermal inertia, so the low-temperature condition persists.
Verdict: ADEQUATE — FTTI (6.05 s) << plating onset (~60 s at 0.5C).
3.6 DIAG_ID_TEMP_UNDERTEMPERATURE_DISCHARGE_MSL
| Parameter | Value |
|---|---|
| Temp Limit | -20 °C |
| Threshold | 500 consecutive events |
| Task Period | 10 ms |
| Delay | 1000 ms |
Calculation: Same as Section 3.5: FTTI = 6050 ms.
Physical Process Time: Discharge at -20 °C: primary concern is capacity loss and voltage depression, not dendrite formation. The safety risk is lower than for charge undertemperature. Treated as FATAL for defense-in-depth.
Verdict: ADEQUATE — Conservative safety measure.
3.7 DIAG_ID_OVERCURRENT_CHARGE_CELL_MSL
| Parameter | Value |
|---|---|
| Safety Goal | SG-05 (ASIL C) |
| Cell Limit | 180000 mA |
| Threshold | 10 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
| Callback | DIAG_ErrorOvercurrentCharge |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 10 × 10 = 100 | 100 |
| T_reaction | 100 | 200 |
| T_actuator | 50 | 250 |
| Total FTTI | 250 |
Physical Process Time: At 180 A through a 3500 mAh cell (~51C rate — extreme), adiabatic temperature rise is approximately 10–20 °C/s. From 25 °C ambient to 130 °C TR onset: ~5–10 s.
Verdict: ADEQUATE — FTTI (250 ms) << ~5 s.
3.8 DIAG_ID_OVERCURRENT_DISCHARGE_CELL_MSL
Same parameters as Section 3.7 (180000 mA, 10 events, 100 ms delay).
FTTI = 250 ms.
Physical Process Time: Same thermal analysis as charge overcurrent. Discharge overcurrent at 51C: ~5–10 s to TR onset.
Verdict: ADEQUATE — FTTI (250 ms) << ~5 s.
3.9 DIAG_ID_STRING_OVERCURRENT_CHARGE_MSL
| Parameter | Value |
|---|---|
| String Limit | 2400 mA |
| Threshold | 10 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 100 + 100 + 50 = 250 ms.
Physical Process Time: At 2400 mA through a single 3500 mAh cell (0.69C), this is a relatively mild overcurrent. Thermal rise rate at 0.69C is negligible (~0.01 °C/s). The primary concern at this current level is lithium plating at high SOC or low temperature, which has onset times of >60 s.
Verdict: ADEQUATE — FTTI (250 ms) << ~60 s.
3.10 DIAG_ID_STRING_OVERCURRENT_DISCHARGE_MSL
Same parameters as Section 3.9 (2400 mA, 10 events, 100 ms delay).
FTTI = 250 ms.
Verdict: ADEQUATE — Same analysis as 3.9 applies.
3.11 DIAG_ID_PACK_OVERCURRENT_DISCHARGE_MSL / CHARGE_MSL
Same parameters as string overcurrent (10 events, 100 ms delay).
FTTI = 250 ms for both charge and discharge.
Verdict: ADEQUATE.
3.12 DIAG_ID_CURRENT_ON_OPEN_STRING
| Parameter | Value |
|---|---|
| Threshold | 10 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 100 + 100 + 50 = 250 ms.
Physical Process Time: Current flowing through an "open" string indicates either a welded contactor or an external fault path. If current is at a dangerous level, the overcurrent DIAG IDs provide independent protection. The CURRENT_ON_OPEN_STRING detection is a secondary/confirmation mechanism.
Verdict: ADEQUATE.
3.13 DIAG_ID_DEEP_DISCHARGE_DETECTED
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 10 ms |
| Delay | 100 ms |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 1 × 10 = 10 | 10 |
| T_reaction | 100 | 110 |
| T_actuator | 50 | 160 |
| Total FTTI | 160 |
Physical Process Time: Deep discharge gas generation occurs over minutes to hours. The hazard (venting) has a long time constant.
Verdict: ADEQUATE — FTTI (160 ms) << physical process time.
3.14 DIAG_ID_PLAUSIBILITY_PACK_VOLTAGE
| Parameter | Value |
|---|---|
| Threshold | 10 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 100 + 100 + 50 = 250 ms.
Physical Process Time: Pack voltage plausibility failure indicates a measurement error, not a direct physical hazard. The safety concern is loss of accurate voltage monitoring. Cell-level voltage checks via AFE provide independent protection.
Verdict: ADEQUATE.
4 FTTI Calculations — Hardware/Communication Diagnostics
4.1 DIAG_ID_AFE_SPI
| Parameter | Value |
|---|---|
| Threshold | 5 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 5 × 10 = 50 | 50 |
| T_reaction | 100 | 150 |
| T_actuator | 50 | 200 |
| Total FTTI | 200 |
Physical Process Time: Loss of AFE SPI means loss of cell voltage monitoring. During the 200 ms window, the BMS operates on stale cell data. The rate of cell voltage change is max ~5 mV per 200 ms (at 1C charge rate) — well within the margin between the MOL/RSL/MSL thresholds.
Verdict: ADEQUATE — 200 ms data staleness causes <5 mV measurement gap.
4.2 DIAG_ID_AFE_COMMUNICATION_INTEGRITY
Same parameters as AFE_SPI (5 events, 100 ms delay).
FTTI = 200 ms.
Verdict: ADEQUATE — Same analysis as 4.1.
4.3 DIAG_ID_AFE_MUX
| Parameter | Value |
|---|---|
| Threshold | 5 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 50 + 100 + 50 = 200 ms.
Physical Process Time: Loss of MUX means loss of temperature measurement. Cell temperature changes by <0.01 °C in 200 ms under any operating condition.
Verdict: ADEQUATE.
4.4 DIAG_ID_AFE_CONFIG
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 10 + 100 + 50 = 160 ms.
Physical Process Time: AFE register corruption could cause incorrect measurement range, gain, or conversion mode. Single-event detection ensures fastest possible response to SEU.
Verdict: ADEQUATE — Immediate detection with minimal delay.
4.5 DIAG_ID_CAN_TIMING
| Parameter | Value |
|---|---|
| Threshold | 100 consecutive events |
| Task Period | 10 ms |
| Delay | 200 ms |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 100 × 10 = 1000 | 1000 |
| T_reaction | 200 | 1200 |
| T_actuator | 50 | 1250 |
| Total FTTI | 1250 |
Physical Process Time: CAN loss means the vehicle controller does not receive current limits from the BMS. The vehicle controller may request full current. However, cell-level SOA checks (voltage, temperature, current) continue to operate independently of CAN. The CAN FTTI is not the sole barrier.
Verdict: ADEQUATE — Independent cell-level protection continues during CAN outage.
4.6 DIAG_ID_CURRENT_SENSOR_RESPONDING
| Parameter | Value |
|---|---|
| Threshold | 100 consecutive events |
| Task Period | 10 ms |
| Delay | 200 ms |
FTTI = 1000 + 200 + 50 = 1250 ms.
Physical Process Time: Loss of current sensor means loss of overcurrent detection. During the 1250 ms window, an overcurrent event could go undetected by the current-based SOA check. However, cell voltage monitoring continues — extreme overcurrent causes measurable voltage sag that would trigger undervoltage detection.
Verdict: ADEQUATE — Multi-channel detection provides coverage during sensor outage.
4.7 DIAG_ID_CURRENT_SENSOR_CC_RESPONDING / EC_RESPONDING
| Parameter | Value |
|---|---|
| Threshold | 100 consecutive events |
| Task Period | 10 ms |
| Delay | 2000 ms |
FTTI = 1000 + 2000 + 50 = 3050 ms.
Physical Process Time: CC and EC channels provide coulomb counting and energy counting for SOC/SOE estimation. Loss of these channels does not create an immediate safety hazard — it degrades SOC accuracy over time. The 3050 ms FTTI is generous but acceptable because the primary current measurement channel provides independent overcurrent detection with a 1250 ms FTTI.
Verdict: ADEQUATE — SOC drift in 3050 ms is negligible (<0.1% SOC at max current).
4.8 DIAG_ID_CURRENT_SENSOR_V1/V2/V3_MEASUREMENT_TIMEOUT
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 10 + 100 + 50 = 160 ms.
Physical Process Time: Loss of IVT voltage channels eliminates the pack voltage plausibility cross-check (secondary detection path for cell voltage faults). The primary AFE path continues to operate. Immediate detection ensures minimal exposure.
Verdict: ADEQUATE.
4.9 DIAG_ID_SBC_RSTB_ERROR
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 10 + 100 + 50 = 160 ms.
Physical Process Time: SBC reset assertion typically occurs due to watchdog failure or power supply anomaly. If SBC resets the MCU, contactors open automatically (fail-safe). This DIAG ID catches cases where RSTB is asserted but reset hasn't occurred yet.
Verdict: ADEQUATE.
5 FTTI Calculations — Safety Infrastructure Diagnostics
5.1 DIAG_ID_INTERLOCK_FEEDBACK
| Parameter | Value |
|---|---|
| Threshold | 10 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 100 + 100 + 50 = 250 ms.
Physical Process Time: Time from interlock break (connector removal) to potential human contact with HV terminals: ~0.5–2 s (hand withdrawal and re-insertion motion). For crash scenarios: impact forces occur in <100 ms, but occupant movement toward HV components takes >1 s.
Verdict: ADEQUATE — FTTI (250 ms) < human contact time (~0.5 s).
5.2 DIAG_ID_STRING_MINUS_CONTACTOR_FEEDBACK
| Parameter | Value |
|---|---|
| Threshold | 20 consecutive events |
| Task Period | 10 ms |
| Delay | 100 ms |
FTTI = 200 + 100 + 50 = 350 ms.
5.3 DIAG_ID_STRING_PLUS_CONTACTOR_FEEDBACK
Same as 5.2: FTTI = 350 ms.
5.4 DIAG_ID_PRECHARGE_CONTACTOR_FEEDBACK
Same as 5.2: FTTI = 350 ms.
Physical Process Time (all contactor feedback): Contactor feedback mismatch during normal operation: if detected during contactor opening (safe state transition attempt), the 350 ms determines how quickly the BMS recognizes it cannot achieve safe state and attempts alternative measures (opening remaining contactors, alerting vehicle controller). If the welded contactor is the only one in the fault-current path and the other contactors can interrupt, the 350 ms delay adds to the total fault exposure time.
Verdict: ADEQUATE — 350 ms is well within the thermal time constant of contactor-welding fault scenarios (~1–5 s).
5.5 DIAG_ID_SYSTEM_MONITORING
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 1 ms (system-level task) |
| Delay | 0 ms (no delay) |
Calculation:
| Phase | Duration (ms) | Cumulative (ms) |
|---|---|---|
| T_detection | 1 × 1 = 1 | 1 |
| T_reaction | 0 | 1 |
| T_actuator | 50 | 51 |
| Total FTTI | ~51 ms |
Physical Process Time: System monitoring failure indicates fundamental platform integrity loss. The 51 ms FTTI is the fastest achievable response in the system.
Verdict: ADEQUATE — Fastest possible response.
5.6 DIAG_ID_FLASHCHECKSUM
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 1 ms (assumption: system-level check) |
| Delay | 0 ms |
FTTI ≈ 51 ms (same as SYSTEM_MONITORING).
Note: Flash checksum verification runs periodically (not every 1 ms — the CRC computation spans multiple cycles). The detection latency includes the CRC computation period, which may be 100 ms–1 s depending on flash size and computation chunking. However, once the CRC mismatch is detected, the DIAG response is immediate.
Effective FTTI = CRC_computation_period + 0 + 50 ≈ 150–1050 ms.
Verdict: ADEQUATE — Flash corruption is a latent fault; the CRC check provides periodic detection.
5.7 DIAG_ID_ALERT_MODE
| Parameter | Value |
|---|---|
| Threshold | 1 event (immediate) |
| Task Period | 1 ms |
| Delay | 0 ms |
FTTI ≈ 51 ms.
Verdict: ADEQUATE.
6 Summary Table — All FATAL DIAG Entries
| # | DIAG ID | Thr | Period (ms) | Delay (ms) | T_det (ms) | T_react (ms) | T_act (ms) | FTTI (ms) | Process Time | Verdict |
|---|---|---|---|---|---|---|---|---|---|---|
| 1 | CELL_VOLTAGE_OVERVOLTAGE_MSL | 50 | 10 | 200 | 500 | 200 | 50 | 750 | ~30 s | ADEQUATE |
| 2 | CELL_VOLTAGE_UNDERVOLTAGE_MSL | 50 | 10 | 200 | 500 | 200 | 50 | 750 | ~600 s | ADEQUATE |
| 3 | TEMP_OVERTEMPERATURE_CHARGE_MSL | 500 | 10 | 1000 | 5000 | 1000 | 50 | 6050 | ~70 s | ADEQUATE |
| 4 | TEMP_OVERTEMPERATURE_DISCHARGE_MSL | 500 | 10 | 1000 | 5000 | 1000 | 50 | 6050 | ~62 s | ADEQUATE |
| 5 | TEMP_UNDERTEMPERATURE_CHARGE_MSL | 500 | 10 | 1000 | 5000 | 1000 | 50 | 6050 | ~60 s | ADEQUATE |
| 6 | TEMP_UNDERTEMPERATURE_DISCHARGE_MSL | 500 | 10 | 1000 | 5000 | 1000 | 50 | 6050 | conservative | ADEQUATE |
| 7 | OVERCURRENT_CHARGE_CELL_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~5 s | ADEQUATE |
| 8 | OVERCURRENT_DISCHARGE_CELL_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~5 s | ADEQUATE |
| 9 | STRING_OVERCURRENT_CHARGE_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~60 s | ADEQUATE |
| 10 | STRING_OVERCURRENT_DISCHARGE_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~60 s | ADEQUATE |
| 11 | PACK_OVERCURRENT_DISCHARGE_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~60 s | ADEQUATE |
| 12 | PACK_OVERCURRENT_CHARGE_MSL | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~60 s | ADEQUATE |
| 13 | CURRENT_ON_OPEN_STRING | 10 | 10 | 100 | 100 | 100 | 50 | 250 | secondary | ADEQUATE |
| 14 | DEEP_DISCHARGE_DETECTED | 1 | 10 | 100 | 10 | 100 | 50 | 160 | ~minutes | ADEQUATE |
| 15 | PLAUSIBILITY_PACK_VOLTAGE | 10 | 10 | 100 | 100 | 100 | 50 | 250 | indirect | ADEQUATE |
| 16 | AFE_SPI | 5 | 10 | 100 | 50 | 100 | 50 | 200 | data staleness | ADEQUATE |
| 17 | AFE_COMMUNICATION_INTEGRITY | 5 | 10 | 100 | 50 | 100 | 50 | 200 | data staleness | ADEQUATE |
| 18 | AFE_MUX | 5 | 10 | 100 | 50 | 100 | 50 | 200 | ~0.01 °C | ADEQUATE |
| 19 | AFE_CONFIG | 1 | 10 | 100 | 10 | 100 | 50 | 160 | SEU response | ADEQUATE |
| 20 | CAN_TIMING | 100 | 10 | 200 | 1000 | 200 | 50 | 1250 | independent prot | ADEQUATE |
| 21 | CURRENT_SENSOR_RESPONDING | 100 | 10 | 200 | 1000 | 200 | 50 | 1250 | independent prot | ADEQUATE |
| 22 | CURRENT_SENSOR_CC_RESPONDING | 100 | 10 | 2000 | 1000 | 2000 | 50 | 3050 | SOC drift only | ADEQUATE |
| 23 | CURRENT_SENSOR_EC_RESPONDING | 100 | 10 | 2000 | 1000 | 2000 | 50 | 3050 | SOE drift only | ADEQUATE |
| 24 | CURRENT_SENSOR_V1_MEAS_TIMEOUT | 1 | 10 | 100 | 10 | 100 | 50 | 160 | secondary path | ADEQUATE |
| 25 | CURRENT_SENSOR_V2_MEAS_TIMEOUT | 1 | 10 | 100 | 10 | 100 | 50 | 160 | secondary path | ADEQUATE |
| 26 | CURRENT_SENSOR_V3_MEAS_TIMEOUT | 1 | 10 | 100 | 10 | 100 | 50 | 160 | secondary path | ADEQUATE |
| 27 | SBC_RSTB_ERROR | 1 | 10 | 100 | 10 | 100 | 50 | 160 | platform health | ADEQUATE |
| 28 | INTERLOCK_FEEDBACK | 10 | 10 | 100 | 100 | 100 | 50 | 250 | ~0.5 s | ADEQUATE |
| 29 | STRING_MINUS_CONTACTOR_FEEDBACK | 20 | 10 | 100 | 200 | 100 | 50 | 350 | ~1 s | ADEQUATE |
| 30 | STRING_PLUS_CONTACTOR_FEEDBACK | 20 | 10 | 100 | 200 | 100 | 50 | 350 | ~1 s | ADEQUATE |
| 31 | PRECHARGE_CONTACTOR_FEEDBACK | 20 | 10 | 100 | 200 | 100 | 50 | 350 | ~1 s | ADEQUATE |
| 32 | SYSTEM_MONITORING | 1 | 1 | 0 | 1 | 0 | 50 | 51 | platform health | ADEQUATE |
| 33 | FLASHCHECKSUM | 1 | 1 | 0 | 1 | 0 | 50 | 51* | latent fault | ADEQUATE |
| 34 | ALERT_MODE | 1 | 1 | 0 | 1 | 0 | 50 | 51 | SBC health | ADEQUATE |
* FLASHCHECKSUM effective FTTI includes CRC computation period (~150–1050 ms total).
7 FTTI Adequacy Conclusion
All 34 FATAL diagnostic entries have calculated FTTI values that are significantly shorter than their corresponding physical process times. The safety margins range from:
- Minimum margin: Interlock feedback — FTTI (250 ms) vs. human contact time (~500 ms) — margin factor ~2×
- Maximum margin: Cell undervoltage — FTTI (750 ms) vs. copper dissolution (~600 s) — margin factor ~800×
- Typical margin: Battery safety parameters — margin factor 10–100×
The temperature-related diagnostics have the longest FTTI (6050 ms) due to high threshold counts (500) and long delays (1000 ms), but this is justified by the thermal inertia of battery cells, which prevents temperature changes faster than ~1 °C/s even under worst-case conditions.
Overall verdict: All FTTI values are ADEQUATE for the intended application.
8 References
| Ref | Document |
|---|---|
| [1] | ISO 26262:2018 Part 6 — Product Development: Software Level |
| [2] | FOX-SAF-HARA-001 — Hazard Analysis and Risk Assessment |
| [3] | FOX-SAF-FSC-001 — Functional Safety Concept |
| [4] | FOX-SAF-TSC-001 — Technical Safety Concept |
| [5] | foxBMS v1.10.0 src/app/engine/diag/diag_cfg.c |
| [6] | foxBMS v1.10.0 src/app/application/config/battery_cell_cfg.h |
| [7] | foxBMS v1.10.0 src/app/application/config/battery_system_cfg.h |
End of Document FOX-SAF-FTTI-001