48V Vehicle Low-Voltage Power System Safety

Introduction

Reviewing old work is a meaningful activity for me, similar to using a more advanced model to answer long-standing questions: there are always new insights. This differs from simply looking at answers after an exam, because repeatedly seeing the correct solution does not always explain why mistakes were made.

One substantial piece of past work is my earlier graduation thesis written while at Bosch Weilimd, which was my first external exposure to embedded development and functional safety practice.

A common analogy among colleagues is that writing a thesis is like hunting rabbits on the prairie. During undergraduate studies, advisors guide you step by step to find and catch the rabbit. For a master's thesis, the advisor points out a rabbit for you to catch. For a doctorate, the advisor gives you a broad direction and leaves you to manage the rest.

I did not pursue a doctorate, but the difference between undergraduate and master's thesis difficulty was significant for me. During my undergraduate thesis at Bosch CC, the advisor and colleagues were very helpful and available. When I wrote my master's thesis and first encountered functional safety and vehicle power network architecture, I was initially confused by the system-level thinking despite recognizing its value.

Thesis Series Overview

My advisor completed a doctorate at Karlsruhe Institute of Technology and worked as manager in Bosch's automotive electronics strategic coordination and functional safety. Around 2012, shortly after the first edition of ISO 26262 was published, he supervised several functional safety related theses. These works, in chronological order, are summarized below.

1. Feb–Aug 2010

Title (translated): Establishing a Modeling Concept to Implement Functional Safety within Electrical/Electronic System Architecture Development for Vehicles

This thesis explored modeling approaches for vehicle power system architectures, starting with discussions of safety goals and HARA analysis. The author evaluated tools such as UML and SysML to create system architecture models, explicitly identifying components, interfaces, data flows, and state transitions to understand system behavior. Risk analysis was integrated into the model to identify potential safety risks and derive safety measures to mitigate or eliminate them, supporting an effective functional safety strategy.

2. May–Nov 2010

Title (translated): Safety and Reliability Analysis of Future Vehicle Power Networks

The author analyzed three simple architectures: 1) single-controller, 2) dual-controller connected by bus, and 3) dual-node connected by gateway with one node using low CAN and the other using high CAN. For each architecture the single-point failure metric (SPFM) was calculated. Without safety mechanisms, SPFM values were around 47–49%. After adding high diagnostic coverage for output control, SPFM rose above 85% but below 90%. System-level FMEDA results differ significantly from component-level calculations; these architectures appeared insufficient even to meet ASIL B requirements, which may explain why this approach was not further pursued.

3. Jun–Dec 2011

Title (translated): Qualitative Functional Safety Analysis of the Onboard Power Network for Glide-Capable Micro-Hybrid Vehicles According to ISO 26262

This thesis directly analyzed power architectures for mild-hybrid vehicles, including alternator, battery, battery sensors, starter, starter motor, DC/DC converter, dual-layer capacitors (DLC), and other components. The author performed qualitative safety analyses such as FMEA, reliability block diagram (RBD), and fault tree analysis (FTA) on six architectures: traditional 12V; 14V with DC/DC; 14V with DC/DC and DLC; 14V with subordinate power network (14V–32V); 12V–48V with one lead-acid and one lithium battery; and a variant where the starter is replaced by a starter motor.

4. Apr–Oct 2012

Title (translated): Implementing Functional Safety According to ISO 26262 within Electrical/Electronic System Architecture Development in Vehicles

This work studied functional safety development process requirements and evaluated whether the development management tool PREEvision met the software tool confidence level requirements described in ISO 26262, especially clause 8.

5. Oct 2012–Jul 2013

Title (translated): Modeling Future Vehicle Power Network Concepts and Evaluating Functional Safety According to ISO 26262

This was my thesis. It used PREEvision to model the six architectures from thesis 3 and applied RBD methods to quantify system-level failure rates for comparison.

Primary Thread One: 48V System

From these theses two main themes emerge. The first concerns onboard electrical system (bordnetz) architecture design. After start-stop systems were introduced, traditional 12V systems reached practical power limits. For mild hybrid systems with power demands between 10 kW and 15 kW, current at 12V can reach around 1000 A, which is impractical. In 2011, Audi, BMW, Daimler, Porsche, and Volkswagen jointly proposed a 48V system as an intermediate voltage level between traditional 12V systems and high-voltage battery systems to meet increasing onboard power demands and stringent EU emissions regulations.

Another factor is safety classifications: 60V is commonly considered the threshold for safety isolation requirements. A 48V battery charge voltage up to about 56V approaches that threshold, making 48V the highest practical voltage level below the 60V safety boundary.

To meet emissions regulations, European OEMs promoted 48V systems: a 48V DC vehicle electrical system can be seen as an upgrade to 12V start-stop systems, adding a 48V energy storage battery, a bidirectional 48V/12V DC/DC converter, a 48V belt-driven starter generator (BSG) or integrated starter generator (ISG), optional electric supercharger, and a battery management system, as shown below.

Advantages include:

• Improved driving comfort: 48V motors can provide higher torque and speed to quickly assist engine restart with smoother engagement than 12V starters. They can offer acceleration assist and torque fill, improving launch performance.
• Accessory power optimization: 48V delivers higher power capability than 12V or 24V systems, enabling high-power accessories such as electric turbochargers and electric power steering. For the same power, higher voltage reduces current, lowering wiring and component stress, improving conversion efficiency and reducing losses.
• Fault detection and diagnostics: 48V systems support advanced monitoring via electronic control units to track battery and electrical system health, provide fault codes, and assist troubleshooting and repair.
• Energy recuperation and storage: 48V systems can capture braking energy and store it in the 48V battery for use by accessories or the powertrain, improving overall energy efficiency.
• Support for high-voltage systems: 48V systems can be integrated with high-voltage battery systems to provide auxiliary functions, reducing overall complexity and cost through multi-voltage system integration.
• Standards and specifications: Standards such as ISO 21780, published in 2020, define electrical requirements and tests for 48V vehicle power systems to guide safety, performance, and communication requirements.

Disadvantages include:

• Higher electromagnetic compatibility requirements as voltage increases.
• Risk of arcing at 48V that needs to be managed.
• Migrating legacy 12V devices to 48V requires redevelopment and testing, with significant cost and time.
• Higher cost than 12V start-stop systems, and energy savings are smaller compared with full high-voltage hybrid systems.

Common 48V operating modes include:

A. Automatic Start-Stop

When vehicle speed drops below about 3 km/h, the start-stop system turns off the engine and the battery supplies vehicle electrical loads. The engine can restart quickly when needed. This function reduces fuel consumption and CO2 emissions, especially in urban stop-and-go traffic.

B. Energy Recuperation

Regenerative braking converts kinetic energy to electrical energy and stores it in the battery. Recuperation alone can reduce fuel consumption by roughly 7%.

C. Passive Assist (Torque Fill)

During acceleration, motor assist compensates for shortfalls in engine torque, reducing emissions without sacrificing performance. The generator reduces power draw from the engine to free up power for acceleration, achieved by controlling generator field excitation with battery-supplied electronics.

D. Start-Stop Coasting

When cruising at steady speed with sufficient battery state of charge, the fuel injection system can be shut off and the clutch can disengage the engine from the drivetrain so the vehicle coasts with the engine fully off. The electric motor supplies power to overcome driving and drag losses. Coasting is allowed only when the energy storage system can always provide sufficient energy to restart the engine on demand. Restart can occur via using residual vehicle kinetic energy when the clutch re-engages or by an electric motor driving a small pinion gear (Ritzel start).

Because the generator is not driven during coasting, vehicle loads must be powered by the battery. Energy management will only permit coasting when the energy storage system can guarantee restart capability.

Primary Thread Two: Functional Safety Assessment

The second main theme is functional safety. New safety requirements, weight reduction goals, and new driving and comfort features change the set of components in the power network. Modern battery technologies and DC/DC converters replacing traditional alternators, more complex wiring, and new energy distribution components impact the structure of the vehicle power network. Functional safety and derived requirements are a decisive factor in the evolution of vehicle power networks.

Components such as lighting, wipers, brakes, and power steering are safety-related devices because their failure can affect occupant or pedestrian safety. Energy supply to these systems must be ensured, which imposes clear requirements on defining and implementing safety-related driving functions. Non-safety-related driving functions must not affect safety-related functions; if negative influence cannot be excluded, mechanisms must prevent unsafe reactions. Voltage fluctuations, electromagnetic interference, or power faults in the vehicle power network can lead to erroneous behavior, data loss, or system unavailability for safety-related functions.

The figure above is from a University of Stuttgart IMA project on safety mechanisms in the energy network functional safety domain.

One well-known fault scenario that can directly affect other ECUs is an electrical short to vehicle ground from a wiring fault or failed component. This can cause severe undervoltage across the whole power network, resulting in functional failures of safety-related components. Many vehicles use fuses to protect wiring from fire; however, if a fuse does not blow fast enough or the power network design cannot prevent critical voltage drops, serious issues may occur. In extreme cases during high-load driving, the system could fail entirely, with severe consequences. Some OEMs use semiconductor elements that prevent energy from flowing into a short circuit within a few milliseconds to stabilize the electrical system.

For automated driving functions, availability requirements rise significantly depending on SAE level and operational design domain. When supply voltage is abnormal or a power unit fails, systems should be able to switch to a backup power source or enter a safe state to maintain functionality and safety. Depending on architecture, these requirements may be placed on the vehicle energy system. The power network must provide fault detection, fault tolerance, and warning functions to detect and react to power failures. It must also provide stable and reliable data transmission channels to ensure sensor data integrity and timeliness. ADAS functions relying on multiple sensors require timely and correct data; power network communication faults or interference can cause sensor errors, delays, or interruptions, affecting ADAS accuracy and reliability.

In the functional safety workstream, a supplier of core 48V components must treat the entire 48V system as an item for functional safety design, analysis, verification, and testing to ensure the vehicle power network meets relevant functional safety standards such as ISO 26262. My advisor’s projects validated whether power network systems could meet these requirements, from exploring suitable modeling methods, creating and evaluating safety concepts at the vehicle level, performing qualitative FMEA, RBD reliability analyses, and FTA, to using proprietary tools for quantitative system-level failure rate calculations. Hardware failure rates were considered in these studies to align with OEM or third-party requirements and to treat functional safety as a key metric for comparing solutions.

Another important element was the adoption of the PREEvision tool. PREEvision supports top-down model-based development across requirement specification, functional design, HW/SW/network development, harness design, and topology design, with algorithms that facilitate system evaluation. Its layering aligns well with the V-model and it can integrate with AUTOSAR. Interns working with Vector evaluated PREEvision's TCL (tool confidence level) and rated the tool as TCL1.

Summary and Outlook

The vehicle low-voltage power system supplies multiple safety-related controllers, so its role in functional safety is critical. I participated in functional safety work during the early introduction of 48V mild-hybrid systems, which laid the foundation for my continued work in functional safety.

As noted in a joint paper by Bosch and the University of Stuttgart IMA, functional safety requirements for power supply systems are increasing and becoming more detailed. Key safety considerations include:

1. Power supply and storage: Fault diagnosis for intelligent batteries is mandatory for architectures, e.g., via BMS and EBS. The goal is to ensure the power supply can at minimum perform a minimum risk condition.
2. Power distribution via harnesses: Wiring assemblies should be evaluated quantitatively in addition to qualitative analysis. Wiring and connector failure rates should be optimized. Industry groups are working on technical guidance for standardized wiring failure rates.
3. Ensuring mutual non-interference: To prevent harmful interference, the paper recommends electronic switches that enable rapid, fine-grained power network switching and external diagnostics. Measures can include intelligent safety switches or distributed electronic fuses in circuits.