Railway BMU Architecture Built for SIL2 Certification Readiness

Project in a Nutshell: For a European industrial battery manufacturer, Promwad designed a dual-MCU BMU platform based on NXP S32K37xx + S32K1xx — the primary MCU handles processing and control, while a secondary independent MCU provides safety monitoring, watchdog supervision, and fault detection. The solution is implemented as a single board that scales across all BMU roles in the system, eliminates the external industrial PC, and provides a clear path to SIL2 certification. The architecture applies to automotive, energy storage, and industrial automation. 

Client & Challenge

The client manufactures industrial battery systems for railway transport and industrial automation. The Battery Management Unit (BMU) is the control core: it manages charge and discharge, monitors cell state, controls thermal behavior, and handles fault conditions 

In the existing system, the client's battery management application ran on a dedicated industrial PC: a bulky, expensive x86 box. The customer wanted to eliminate this. At the same time, the new BMU had to meet SIL2 requirements in accordance with EN 50126 / EN 50128 / EN 50129 standards, comply with the environmental requirements of EN 50155, and integrate with a higher-level system via industrial communication protocols. 

SIL2 requires a full Safety Lifecycle with auditable documentation: failure analysis, safety concept, verification reports. An architecture that doesn't survive certification review rolls the project back several phases, and time-to-market slips by months. The client needed a partner who handles both the electronics and the certification logic end-to-end. 

Solution

Promwad designed a dual-processor BMU architecture, splitting functions between the main MCU (NXP S32K37xx) and an independent safety MCU (NXP S32K1xx). A dedicated SPI channel connects the processors, with protocol-level integrity checks and supervision for safety-related data exchange. This separation supports a SIL2 certification path by isolating safety supervision from the main control logic and creating the basis for independent monitoring, diagnostics, and auditable safety evidence. 

Scalable BMU Architecture

The BMU system runs on three levels. At the top, the SoM (ARM Cortex-A55, NXP i.MX93, Linux) coordinates multiple Primary BMU controllers across the train. Each Primary BMU manages up to 20 Secondary units. Without the SoM, the same board operates as either a Primary or Secondary BMU depending on configuration. One hardware design covers all three roles, the distinction is made at assembly through configuration and the optional SoM module. 

The distinction between “Primary” and “Secondary” is made during the assembly phase.

During architectural studies, the Promwad team analyzed two different solutions before making a final decision: an optional SoM (Concept A) or a unified board with a different microcontroller (Concept B). Concept A was chosen due to lower component costs, reduced development time, and greater manufacturing flexibility.

In addition to the architecture work, the team defined and designed: 

• Schematics, PCB, and mechanical enclosure designed for EN 50155 operating and environmental requirements. 

• Firmware stacks with MISRA and unit test coverage. 

• Client's BMS application ported from x86 to ARM: BSP, secure boot, cybersecurity. 

• Certification strategy across accredited labs. 

Beyond This Project: Reusable Platform

The architecture works for projects beyond this one. Promwad adapts the same base for safety-critical devices in harsh environments. 

What carries over: 

• Dual-MCU architecture with an independent safety channel for SIL1/SIL2 devices. 

• Communication stack (CANopen, TRDP, J1939, Ethernet, Bluetooth) with galvanic isolation. 

• Compliance toolchain: vetted labs, test plan structure, hands-on experience with EN50155 / EMC / SIL2. 

• Safety documentation: FMEDA, Safety Concept, traceability matrix as templates. 

The platform shortens time-to-market for new safety-critical products. Architecture decisions, documentation base, and compliance processes are already worked out.

Results

The client received a complete BMU development package: dual-MCU architecture, hardware design (schematics, PCB, enclosure concept), firmware migration roadmap, x86-to-ARM porting plan, and certification strategy with SIL2 pathway defined. 

More of What We Do for Automotive Vision

• Energy Storage: explore our engineering expertise in battery energy storage systems, from BMS architecture to IEC 61508-aligned designs for industrial and utility applications.
   
• FPGA Architecture Design: see how we combined power electronics and FPGA engineering to build a high-performance industrial power inverter.
   
• IEC 61508: read our breakdown of IEC 61508 — the functional safety standard behind SIL classification and safety lifecycle requirements.