When the Detector Was Already in the Catalog

Between December 2025 and January 2026, Volkswagen filed three overlapping recalls on the ID.4 over high-voltage battery fires. Two of them chase a manufacturing defect — a "shifted electrode" in cells built by SK Battery America. The third is the one that should keep functional-safety engineers up at night, because it is not about a defect Volkswagen found. It is about a safeguard Volkswagen already had. Recall 26V030 covers 43,881 ID.4s whose only fault is that they were built without the Self-Discharge Detection software — a function the company's own data says would have warned the driver before at least three known fires. The detector existed. It just wasn't on those cars.

This is a battery-safety post, which means it sits at the intersection of three standards worlds that don't always talk to each other: ISO 26262 (the electrical/electronic functional safety the BMS lives in), ISO 6469-1 and UN GTR No. 20 (the electric-vehicle and battery-pack safety rules that govern thermal propagation and occupant warning), and IATF 16949 with IEC 62660 underneath it (the production process-control discipline that is supposed to keep a misaligned electrode from ever leaving the cell line). The ID.4 recalls are a clean case study in what happens when a hazard is real, the controls all exist on paper, and the allocation of those controls to the vehicle in the customer's driveway is incomplete.

Below: the public record, the standards that bracket the failure, a worked HARA row and fault tree, five derived requirements, and the one sentence the headline is really telling us.

1. The public record

The chronology matters here because it is the evidence, so I'll keep it tight and sourced. Volkswagen first learned of an ID.4 battery fire on January 18, 2024, when a vehicle charging at a Level 3 DC fast charger in Illinois caught fire and on-site investigation traced the origin to inside the high-voltage battery. Three more ID.4 fires followed in 2024 — two in California, one in Utah — all potentially tied to the battery modules (NHTSA recall report 25V836 chronology; WardsAuto, Feb 6, 2026).

For most of 2025 the root-cause hunt went nowhere. In June 2025 SK Battery America ran CT imaging on cell modules pulled from three fire incidents and could not identify a cause. VW and SK then went looking outside the battery — charging apparatus, vehicle wiring — found nothing, and refocused on the pack. After another thermal event in August 2025 (a Colorado ID.4, again on a Level 3 charger), SK performed a physical tear-down in late September 2025 and finally found it: a "shifted electrode" condition. Going back to the June CT images with that knowledge, they could now see the shifted cathode they had missed (NHTSA 26V030 §Chronology, submitted Jan 21, 2026).

From there it cascaded. VW brought the issue to NHTSA's Office of Defects Investigation at its October 2025 quarterly meeting. A first recall (25V836) was filed December 3, 2025 for 311 vehicles, amended to 629 on December 15 when SK found more affected modules. Then SK identified a second, distinct hardware issue that could produce a different shifted-electrode condition, and on January 14, 2026 the VW Product Safety Committee approved a second recall — 26V028, 670 vehicles, 100% estimated to contain the defect, carrying a "Do Not Drive / Park Outside" advisory and immediate battery-pack replacement (WardsAuto, Feb 6, 2026; Autoblog, Feb 2026).

And then the interesting one. By January 2026, Volkswagen was seeing thermal incidents outside the population SK could explain with a defined hardware anomaly. They still did not have a clean root cause for those. What they had was data showing that the Self-Discharge Detection ("SDD") software would have flagged a developing problem in advance of at least three known incidents, dated May 22, June 23, and October 31, 2025. So on January 14 the Product Safety Committee approved recall 26V030, covering 43,881 ID.4s built between September 2, 2022 and April 10, 2025 — defined explicitly as the vehicles that do not have SDD software installed. The remedy: a battery health check, installation of the updated Battery Management Controller software (BMCe SW V.1030, part number 0Z1.915.184.G), and module replacement where the inspection or the newly installed SDD warning flags it (NHTSA 26V030, submitted Jan 21, 2026).

The tell is in VW's own remedy note. ID.4s with the 82 kWh pack got the updated BMCe software in production starting January 17, 2024. The 62 kWh cars stopped production before the software change was ever made. So the recall population isn't random — it is the set of vehicles that shipped before a known-good diagnostic became standard, plus a battery chemistry that never got it at all. The fix for 43,881 cars is to give them a piece of software the rest of the fleet already had.

One more fact worth holding onto: in January 2025, SK installed cameras at the Commerce, Georgia plant to detect anomalies during the cell-stacking process (NHTSA 26V030). That is a process-control countermeasure arriving after the electrodes had already shifted on cars now in the field — which is exactly the IATF 16949 conversation we'll get to.

2. The standards lens

Three standards families govern this failure, and naming them precisely is the whole point.

2.1 ISO 26262 — the battery is an item, and "detect the fault" is a safety goal

The high-voltage battery and its management controller are an E/E system, so ISO 26262 applies to the BMS the way it applies to any safety-related controller. Run the ISO 26262-3 §6 item definition and §7 HARA on the pack and the top hazard writes itself: uncontrolled exothermic reaction in the HV battery leading to thermal propagation and vehicle fire while occupants are present or nearby. Severity is S3 (life-threatening / fatal — a vehicle fire is unambiguous). Exposure for "vehicle parked or charging" is E4 (the car spends most of its life in exactly those states; the field fires happened during and after charging). Controllability is C3 — a battery fire is not something a driver controls their way out of; at best they evacuate. S3 + E4 + C3 lands at ASIL D.

That ASIL determination is what makes the SDD story a functional-safety story rather than a quality story. The safety goal flowing from that hazard is not "build a perfect cell" — that's a goal you can never verify. It's "the system shall detect a developing internal cell fault and warn/isolate before thermal propagation." SDD is precisely that safety mechanism: a BMS diagnostic that watches for the slow voltage droop and self-discharge signature of an incipient internal short, on a timescale of hours-to-days, and raises a warning while there is still time to act. A function that VW's data says would have fired ahead of three real fires is, in ISO 26262-9 terms, a diagnostic with demonstrated coverage of the dominant failure mode. Leaving it off 43,881 cars is leaving the safety mechanism for an ASIL D hazard unallocated on a third of the relevant fleet.

2.2 ISO 6469-1 and UN GTR No. 20 — somebody has to warn the occupant

ISO 26262 tells you to detect the fault. ISO 6469-1 (electrically propelled road vehicles — safety specifications for the rechargeable energy storage system) and UN GTR No. 20 / UN ECE R100.03 tell you what to do once you have. GTR 20's thermal-propagation provision is built around occupant protection: when a single-cell thermal runaway is initiated, the vehicle must provide an advance warning to occupants so they can get out before the event reaches the passenger compartment — the widely implemented design target being on the order of a 5-minute egress window. That requirement only has teeth if there is a detection function upstream feeding it. SDD is the upstream half of a GTR 20 occupant-warning chain. Without it, the warning requirement is a dangling clause: the actuator with no sensor.

This is why "loss of range and/or performance" — the only customer-facing symptom VW lists for 26V030 — is the wrong place to set the alarm threshold. Range loss is a late, comfort-grade consequence of self-discharge. The GTR 20 frame demands the warning be tied to the safety consequence (impending thermal event), not the convenience one.

2.3 IATF 16949 and IEC 62660 — the electrode should never have shifted

The shifted-electrode defect is a production-quality escape, and that has its own standard stack: IATF 16949 for the automotive quality-management system, IEC 62660-3 for lithium-ion cell reliability and abuse requirements, and the AIAG-VDA PFMEA discipline for the cell-assembly process itself. A misaligned/shifted electrode is a textbook PFMEA failure mode for the stacking or winding operation — it causes localized current concentration, lithium plating, and eventually an internal soft short. The control that catches it is in-line inspection of electrode alignment. SK installing detection cameras at the stacking step in January 2025 is the correct PFMEA detection control — it just shows up in the timeline as a reaction to field fires rather than as a control that was rated, ranked by Action Priority, and in place before launch. In PFMEA language: the failure mode existed, the severity was maximal (S=10, fire), and the detection ranking before January 2025 was poor. That's a High Action Priority row that was closed late.

3. A worked snippet

Here is the HARA row the BMS hazard produces, written the way it should appear in the safety file.

| ID | Operating scenario | Malfunction / hazard | S | E | C | ASIL | Safety Goal | |----|--------------------|----------------------|---|---|---|------|-------------| | HZ-BAT-01 | Vehicle parked or AC/DC charging, occupants in or near vehicle | Internal cell short from shifted electrode initiates self-discharge then thermal runaway; no diagnostic detects the developing fault | S3 (fatal — fire) | E4 (parked/charging is dominant life state) | C3 (uncontrollable; occupants can only evacuate) | ASIL D | The system shall detect a developing internal-cell fault (abnormal self-discharge / cell-voltage divergence) and warn the occupant and isolate/limit the pack before thermal propagation reaches the cabin. |

The fault tree for the top event makes the role of the missing detector obvious:

TOP: Occupant exposed to HV-battery fire in ID.4
└─ AND
   ├─ Internal cell fault develops into thermal runaway
   │  └─ OR
   │     ├─ Shifted-electrode defect type 1 (recall 25V836 / 26V028 population)
   │     ├─ Shifted-electrode defect type 2 (second hardware issue, Jan 2026)
   │     └─ Other self-discharge mechanism, root cause undetermined
   └─ Warning/isolation does not occur in time
      └─ OR
         ├─ No Self-Discharge Detection function installed   [26V030 population]
         ├─ Detection threshold tied to range loss, not safety event
         ├─ No occupant egress warning per UN GTR 20 chain
         └─ No pack-level isolation / propagation barrier engaged

Look at the structure. The left branch is a quality problem — and quality problems are, in the limit, unbounded; you can drive the rate down but never to zero across millions of cells. The right branch is a functional-safety problem, and it is the branch you are supposed to be able to close by design. ISO 26262's entire philosophy is that you do not get to assume the left branch never happens; you assume faults occur and you require the right branch to catch them. Recall 26V030 is an admission that, for 43,881 cars, the right branch was wide open.

The timing argument is the subtle part. A hard internal short can go to thermal runaway in seconds — far inside any plausible Fault-Tolerant Time Interval for a human response. SDD does not fight that fight. It works on the precursor: the slow self-discharge and voltage divergence that precede the runaway by hours or days. That is what makes the detector viable — it converts a millisecond-class hazard into a day-class warning. The May/June/October 2025 incidents VW cites are the proof that the precursor window is real and observable.

4. Derived requirements (excerpt)

Five requirements with stable IDs, traceable to the row and branches above. Numbers are illustrative engineering targets, to be replaced by the program's validated values.

| Req ID | Requirement | Trace | |--------|-------------|-------| | BAT-SR-001 | The BMS shall continuously monitor per-cell-group open-circuit voltage divergence and self-discharge rate, and shall assert a "battery integrity" fault when self-discharge exceeds the nominal cell-aging envelope by a calibrated margin (illustrative: divergence over 30 mV beyond a 30-day reference, or self-discharge rate over 2x the aged-cell baseline). | HZ-BAT-01; FT right branch | | BAT-SR-002 | On a "battery integrity" fault, the vehicle shall issue an occupant-facing safety warning (not a range/comfort message) and a telematics alert within one drive/charge cycle, supporting the UN GTR 20 occupant advance-warning intent. | ISO 6469-1 / UN GTR 20 | | BAT-SR-003 | The Self-Discharge Detection diagnostic shall be a standard, non-optional element of the BMS software baseline across all pack variants and model years; no production configuration shall ship without it, and it shall be added to in-service vehicles via the field-update process. | 26V030 population gap | | BAT-SR-004 | On confirmed internal-fault detection, the system shall limit charge acceptance and target state-of-charge (illustrative interim limit: 80% SOC, DC fast charge inhibited) until inspection, mirroring the interim field advisory but triggered automatically rather than by owner letter. | 26V028 advisory; HZ-BAT-01 | | BAT-SR-005 | The cell-assembly process shall include in-line electrode-alignment inspection with a validated detection capability for the shifted-electrode failure mode, with the associated PFMEA row maintained at the achieved Action Priority and re-rated when the control changes. | IATF 16949 / IEC 62660; PFMEA |

None of these is novel. BAT-SR-001 is what SDD already does. BAT-SR-003 is just a configuration-management requirement — make the safety mechanism mandatory, not a variant option. BAT-SR-005 is the inspection SK installed in January 2025, written down where it belongs: in the PFMEA, before launch, not after the fourth fire.

5. What the headline really tells us

"Volkswagen recalls 44,000 EVs for battery fire risk" reads like a battery story, and the popular coverage treats it as one — another lithium-ion scare, another supplier defect. The two smaller recalls (25V836 and 26V028) genuinely are that: a manufacturing escape at SK Battery America, caught late, fixed with module replacements and a new inspection camera. Those are quality failures, and quality failures are the cost of building cells at scale.

But 26V030 is a different animal, and it's the one that generalizes. Volkswagen could not pin a clean root cause to the fires outside the defined-defect population. Faced with that uncertainty, they did the correct functional-safety thing: they fell back on a detection mechanism rather than chasing a prevention they couldn't guarantee. The uncomfortable part is that the detection mechanism already existed — it had been standard on the 82 kWh cars since January 2024 — and 43,881 vehicles were driving around without it because they predated the change or carried a chemistry that never received it. The recall is not the company inventing a fix. It is the company finishing the deployment of a fix it already trusted.

That is the missing artifact, and it isn't a HARA row or a fault tree — those, VW clearly has. It's a configuration-management rule that says a safety mechanism for an ASIL D hazard is not allowed to be a variant-dependent, model-year-dependent option. Once SDD was credited with detecting the dominant failure mode, every pack without it became a vehicle operating with a known safety mechanism switched off. The fix was sitting in the catalog. The work that wasn't done was making sure it shipped on everything that needed it.

If you build battery packs and your incipient-fault diagnostic is an option code, a trim-level difference, or a "later model year" feature, that gap is the actionable thing — long before any field fire forces a regulator to do the allocation for you.

Sources

— Jherrod Thomas, The Lion of Functional Safety™