5. Safety

This document describes the hazard risk analysis and assessment done for the foxBMS platform. The content of this document must be read and understood before any tests are done with the foxBMS hardware. All physical quantities and units used in the document are SI based.

5.1. Hazard Risk Analysis and Assessment

The risk analysis and assessment was last performed in May 2017. Following persons were involved:

Name Responsibility
Vincent Lorentz Global project Management
Stéphane Koffel Technical Project Management
Martin Wenger Hardware Development (BMS-Extension)
Radu Schwarz Hardware Development (BMS-Master)
Sebastian Wacker Hardware Development (BMS-Slave)
Stefan Waldhör Software Development
Müsfik Akdere Software Development
Johannes Wachtler Validation and Tests
Markus Freund Moderation

5.2. General Description of the foxBMS Platform

foxBMS is a research and development platform aimed to be used to develop battery management systems (BMS) for rechargeable energy storage systems based on lithium-ion batteries (LIB) or comparable electrochemical rechargeable accumulator cells (e.g., other chemistries like lithium-sulfur, sodium-ion or even all-solid-state batteries), lithium-ion capacitors (LIC), electric double-layer capacitors (EDLC or supercapacitors). The lithium-ion battery packs or battery modules are a major source of hazards and are not part of the foxBMS platform (see fig. 5.1). The main purposes of the battery management system are charge monitoring and keeping the battery cells in their safe operating area to ensure optimal safety and the longest battery lifetime.

../../_images/hw_system_overview.png

Fig. 5.1 foxBMS in the battery system

For those tasks, the foxBMS platform is equipped with measurement and control circuits (i.e., BMS-Slave Boards) to monitor the battery cells and to get information about their states. With this, the cell voltages, temperatures and overall battery pack current are measured, and kept in the safe operating area. The battery charge equalization (i.e., balancing) is controlled and fed back to the foxBMS Master Unit. The setup of the system is shown in fig. 5.2.

../../_images/battery_system_block_diagram.png

Fig. 5.2 Block diagram showing the typical topology of a battery system

The foxBMS platform uses a passive balancing circuit based on the LTC6811-1 multicell battery monitoring integrated circuit. The unique selling point of the foxBMS platform is its virtually unlimited possibilities to be adapted the needs of the user.

5.3. Limits of the foxBMS Platform

The foxBMS platform consists only of the foxBMS Master Unit with the foxBMS Slave Units and the provided computer software. It does not include battery cells, battery cell models, power contactors, current sensors, fuses, chargers, power supplies, ground fault detector.

The foxBMS Master Unit and the foxBMS Slave Units have a primary and a secondary side which are separated and galvanically isolated from each other.

The area of the use of foxBMS must be free of hazardous materials like flammable gases, combustible dust or ignitable dust and fibers. The temperature should be around 20°C and may not exceed the battery cells restrictions given by the battery cell manufacturer (e.g., around 45°C to 60°C, depending on the battery cell chemistry). The operating and storage environment needs to be dry and free of static electricity with air humidity between 35% and 55%.

The lifetime of the electronics of foxBMS is supposed to be limited to three years since the target application is research and development. During this time, hardware and software updates and bug fixes are to be expected. Besides that, the research or work on the prototypes should be finished after three years.

The interfaces of the foxBMS Master Unit are:

Connection Description
Supply Voltage DC 12VDC-24VDC supply input
Ground Fault Detector Connection for the insulation monitor to detect an error (Bender ISOMETER IR155-3203)
CAN0 Galvanically isolated connection on foxBMS Master Unit for additional sensors (IVT-MOD-300)
Primary USB Galvanically isolated USB connection to microcontroller on the primary side for flashing and communication
Contactors 0-8 Power contactors between battery and the supplied load
Interlock Galvanically isolated connection between the microcontrollers and connector control
Daisy Chain (Primary/Secondary) Connection for the next BMS-Slave Board in the battery system
Secondary USB Galvanically isolated USB connection to microcontroller on the secondary side for flashing and communication
CAN1 Galvanically isolated connection on BMS-Extension Board
RS485 Galvanically isolated RS485 interface as alternative for CAN or USB
Isolated GPIO Galvanically isolated general purpose IO for user specific needs
Isolated NOC Galvanically isolated Normally Open Contact interface for any purpose left to the user
Analog Inputs Analog inputs for any purpose left to the user
Memory Card Data storage for the primary microcontroller

The interfaces of the foxBMS Slave Unit are:

Connection Description
12 Cells 13 voltage sense connections for 12 cells
8+16 Temperatures Temperature sensor connection (one for each cell)
4 Daisy Chains Primary and secondary daisy chain connections to the next and to the previous BMS-Slave Board

The maximum amount of BMS-Slave units depends on the number of battery cells connected to the slaves and the voltage of each cell. The total voltage of the battery pack must never exceed 1500Vdc (continuous and peak). Battery types to be used with the system are lithium-ion batteries or comparable electrochemical rechargeable accumulator cells, lithium-ion capacitors or supercapacitors.

5.4. Targetted Users of foxBMS

The persons who use the foxBMS R&D platform must be electrically skilled according to the IEC. They must also be educated in rechargeable batteries and have knowledge in electrochemistry. With the sum of battery cells exceeding 120VDC, these persons also need to be skilled in live working. It is not enough to be an electrically instructed person. Targeted users of the foxBMS R&D platform are R&D and test engineers working in a well-defined, safe and controlled environment, like a test bay or a test bench. Since these persons assemble the whole system by themselves, they are the only persons who can do the service and the maintenance. The R&D and test engineers are both users and servicers.

The foxBMS R&D platform is not intended to be used by ordinary persons as they are not well and not enough educated in batteries, or in electrical subjects. This also includes students, handymen, and do-it-yourselfer or DYI enthusiasts who do not fulfil the above requirements.

5.5. Intended Use of foxBMS

The foxBMS R&D platform is only for lithium-ion batteries or comparable energy storage systems. It is an evaluation kit intended only to professionals and to be used at research and development facilities for such purposes. It is designed for research, development and tests purposes to manage prototypes of lithium-ion-battery systems when developing new products.

5.6. Reasonably Foreseeable Misuse of foxBMS

The foxBMS R&D platform is not intended to be used as a voltage monitoring system of any other electrical systems than battery systems build with battery cells providing a maximum single cell voltage of 5V.

5.7. Phases Throughout the System Lifecycle of foxBMS

  1. Development
  2. Manufacturing
  3. Packaging
  4. Transportation
  5. Assembling
  6. Initial operation
  7. Usage (operation)
  8. Maintenance
  9. Repair
  10. Further operation
  11. Shutting down
  12. Storage
  13. Disassembling
  14. Disposal

5.8. Hazard Zones of foxBMS

Only few hazard zones are obvious. One is the foxBMS and the other its environment with the battery system including bus bars, battery cells and other parts. Since the battery system is defined by the user, only a general consideration can be done.

5.9. Risk Assessment

Depending on the countries of the target application, there are different standards to regard. In the European Union, the applicable directives lead to different safety requirements. These have a variety of risk graphs for the risk assessment. Although they are only slightly different they are not adaptable to each other. Since the target country and use of foxBMS is unknown, the users of the system need to do a risk assessment on their own according to their concerns.

Some European directives that can be relevant for the foxBMS users:

  • General product safety
  • Low voltage
  • Machinery
  • etc…

Some example of safety standards that might fit the application of the foxBMS users:

  • IEC 61508 (Functional Safety)
  • ISO 25119 (Agriculture)
  • ISO 26262 (Road Vehicles)
  • EN 13849 (Machinery)
  • EN 61511 (Process Industry)
  • EN 50156 (Furnaces)
  • etc…

A list of standards that might fit to the target application can be found here:

5.10. Standards

In order to use the foxBMS safely, at least the following standards or similar ones should be regarded:

  • DIN VDE 0100-410 (IEC 60364-4-41)
  • DIN VDE 0100-600 (IEC 60361-6)
  • EN 60529
  • EN 50272
  • etc…

Recommended readings:

5.11. Safety Instructions Before Using foxBMS

Danger

alternate text

Risk of electric shock. You need to be an electrically skilled person in order to work with batteries and assemble battery systems. Regard IEC 60364-4-41, IEC 60364-6, IEC 60529 (DIN VDE 0100-410, DIN VDE 0100-600, VDE 0470-1).

Danger

alternate text alternate text

Risk of electric shock while assembling, repairing, maintaining, servicing or disassembling the battery system. You need skills in live working in order to work with the battery system and assemble it. Wear personal insulating protective equipment.

Danger

alternate text alternate text alternate text alternate text alternate text

Risk of fire, explosion and chemical hazards through the battery cells. You need to be a battery skilled person in order to work with the battery system and assemble it. Use safe cells with CID, PTC and OPD. Use the battery system in a confined area. Keep sand, water and fire extinguisher close to the system to fight fire. Regard local fire safety regulations.

Danger

alternate text alternate text alternate text alternate text alternate text

With an electrical short, battery cells will heat up and explode. The short might create an electric arc and cause fire. Do not short-circuit battery cells or batteries. Always cover at least one terminal of the cell or battery and keep the poles away from each other. Watch out while working on the cells or batteries. Do not wear necklaces or jewelry to prevent shorts. Wear personal arc protective equipment (e.g., protection clothes, face protection, protection glasses, protection gloves). Keep other persons in a safe distance.

Danger

alternate text alternate text

Battery cells and batteries expand and shrink through thermal differences and through charging and discharging during usage. If the battery cells are too tight and squeezed together, they can get damaged. The movement of the cells will loosen screws that might fall down and create an electrical shortage. A fire might start or other hazards can occur. Leave enough room between the cells and use locknuts.

Danger

alternate text alternate text

Electric short and hazards through reversed polarity or wrong connection can occur. Be cautious and prevent battery cells and batteries from wrong connection.

Danger

alternate text alternate text alternate text alternate text

Electrolyte may cause irritation or intoxication and lead to death or threaten your health. Hydrofluoric acid (HF) or phosphane (PH3) might develop. Wear eye protection and gloves while working with electrolyte. Regard material safety datasheet (MSDS) from the battery cell manufacturer.

Danger

alternate text alternate text

Old and new battery cells, different technologies or capacities of cells may vary very much in both voltage and current. This can lead to an overcurrent or overvoltage same as undervoltage and result in cell or battery damage with dramatic consequences. Do not use old cells or batteries with the system and do not mix cells or batteries of different chemistries or technologies. Change all cells of a battery at the same time. Do not mix cells within the battery. Use only one type of cell throughout the whole system.

Warning

alternate text alternate text alternate text alternate text

Developing gas from the battery cells or battery systems may cause fire. Use the battery cells and the battery system only in a good ventilated environment to ensure flammable and toxic gases will be removed in case of degassing of a battery cell.

Warning

alternate text

Overvoltage or reverse polarity at the foxBMS Slave Units can cause an electrical short, fire and following hazards. Use fuses on each cell to prevent overcurrent through the electrical short. The foxBMS Slave Units can take a maximum amount of 12 cells with a voltage sum between 11V and 55V. Beware of the amount of cells and the cell voltage.

Warning

alternate text alternate text alternate text

Chemicals from the battery might threaten your health. Do not touch chemicals and wear chemical protective gloves and safety goggles. Regard material safety datasheet (MSDS) from the battery cell manufacturer.

Warning

alternate text alternate text

The soldering heat can damage safety parts of the cells or battery. Do not solder anything directly to the cells or battery. Follow the mounting instructions of the manufacturer.

Warning

alternate text

Damaged batteries or cells can cause fire. Use flame retardant materials in your system and keep burnable materials away. Apply a temperature sensor to detect over temperature and keep a fire extinguisher close to the battery system. Do not use damaged cells or batteries.

Warning

alternate text

Parallel cells with an electrical short can cause a large over current and over temperature that bring other hazards with them. Assemble breaking elements between parallel cells to avoid the short current.

Warning

alternate text

Overvoltage or overcurrent through charging or discharging can lead to fire, leakage or explosion. Always use a proper charger for the cells and the batteries and avoid heavy loads and rapid charges and discharges. Remove fully charged battery packs from the charger.

Warning

alternate text alternate text

Risk of electric shock through an error in the insulation. Use a ground fault detector or an insulation monitor and regard IEC 60364-4-41 and IEC 60364-6 (DIN VDE 0100-410, DIN VDE 0100-600).

Warning

alternate text alternate text

Risk of electric shock while working on live parts. Use only insulated tools while assembling, disassembling, maintaining, servicing or dismantling the battery system. Never open battery cells.

Warning

alternate text

Explosive or flammable environment around the battery cells or the battery system can start burning or explode. Do not use the battery system in an explosive environment.

Warning

alternate text alternate text alternate text

Toxic fumes through evaporating electrolyte or other substances through an electrical short may lead to intoxication, chocking or breathing problems. Assemble and disassemble the system carefully and keep gas mask or breathing aid in close environment.

Caution

alternate text alternate text

Heavy battery parts can fall on your feet and sharp edges might cut or hurt you. Use solid housing and add handles. Wear personal protective equipment, gloves, shoes and other clothes for working.

Caution

alternate text

An electric arc or exploding cell may cause loud noise. Wear ear plugs muffs with other personal protective equipment. Stay out and keep other persons out of the testing area.

Caution

alternate text

Soldering material may cause irritation or intoxication and lead to death or threaten your health. Wear gloves while working with soldering materials and wash hands properly afterwards.

Caution

alternate text

Corrosive materials, humidity and gas can lead to corrosion of any part of the system. Failure of electrical or electronic parts especially safety responsible parts may lead to other hazards. Keep the battery system in a dry and clean environment and away from corrosive materials.

Note

alternate text alternate text alternate text alternate text

Damaged battery cells or batteries may leak electrolyte, especially when pouch battery cells are used and the pouch bag has been damaged. Put a basin underneath for dripping the electrolyte.

Note

alternate text

Undervoltage leads to a damaged cell or battery system. Prevent deep discharge. Never charge and use again battery cells or batteries after deep discharge has occurred.

Note

alternate text

Cell or battery damage through too low or too high temperature during storage, transportation or usage. Always keep cells or batteries in their valid temperature range. Keep the cells and batteries out of the sun and use heating or cooling to keep the safe temperature range.

Note

alternate text alternate text alternate text

Battery cells, battery systems, electrical and electronic parts must be stored and disposed properly.

5.12. Measures Through Control with foxBMS

  • Detection of cells with over temperature and safe switch off or disconnect.
  • Detection of cells with over voltage and safe shut off or disconnect.
  • Detection of cells with deep discharge and safe shut off or disconnect charger.
  • Detection of ground short (insulation error) with safe switch off or disconnect.

The recommended structure for failure tolerant systems (1oo2) in EN 13849 is shown in fig. 5.3:

../../_images/hw_safety_redundant_system.png

Fig. 5.3 Recommended structure for failure tolerant systems (1oo2) in EN 13849

With this structure, there are requirements to the reliability of the used hardware. Refer to the standard used. The implemented safety systems might have a common cause failure. Refer to the required standard to check how to minimize this failure.