Welcome to week 4 of the course. If you're planning to complete the honors section, then there's one more week left. Otherwise, this is the final week, so you're almost there. Last week, our focus was on studying requirement 1 of a battery management system, which had to do with sensing and high-voltage control. This week, the plan is to examine the remaining four requirements of a battery management system. You may remember that these were protection and interface and performance management and diagnostics. In this lesson, we consider specifically requirement number two, which has to do with protection. A battery management system must provide monitoring and control to protect in two different ways. The first one that we look at is the requirement to protect the battery pack cells from out-of-tolerance ambient conditions. The second is to protect the user from the consequences of battery pack failures. And as you've already learned, high-energy storage batteries can be very dangerous. If energy is released in some uncontrolled way, this can have catastrophic consequences. One example is if there's a short circuit inside one or more of the battery cells that will cause large levels of electrical current to flow, which will cause a lot of heat to be generated, which will cause thermal runaway and fire in the battery pack. A second example is if there's physical damage to the battery pack, such as if a vehicle is involved in an accident. And this can lead to very unpredictable energy release due to crushing or penetration of the cells and so forth. If a battery cell develops an internal or an external short circuit, hundreds or even thousands of amperes can develop in microseconds. So if we want to have any hope of protecting against a short circuit, the protection circuitry must act extremely quickly. This is very difficult, and in many instances, the best we can really hope to do is to isolate the damage caused by short circuit in one cell so that it does not propagate to other cells in the battery pack. Different applications and different cell chemistries require different degrees of protection. A failure in a lithium-ion cell can be very dangerous, and it can lead to a fire and even lead to an explosion. In many applications, including in the automotive environment, protection is indispensable. When we're designing protection for a battery pack, we must address the following undesirable events or conditions. We must address excessive current during charging or discharging. We must address the possibility of and a response to a short circuit. We must consider overvoltage and undervoltage. We must think about high ambient temperatures and overheating of the battery pack, and we need to look at what happens if isolation is lost, in other words, if there's a ground fault. And we also need to think about what to do if there's abuse to the battery pack. When we're designing protections, we should also consider what happens if our protection mechanism itself fails. Whenever possible, we should implement redundant protection paths so that if the primary protection mechanism fails, then the secondary protection mechanism will still be able to protect the user and the battery pack. The drawing on the right hand side of this slide attempts to illustrate this. It shows in a graphical way the region of operation in which we would like to operate our battery pack and the region that we would really like to stay away from. In this case, the horizontal axis is temperature, and the vertical axis is magnitude of electrical current. The region that is shaded in red indicates locations where it is unsafe to operate the battery pack in terms of temperature and current magnitude. Any point that is not colored red is technically an acceptable point at which we can operate the battery pack. However, we would like to leave a safety margin in our design so that we not only stay out of the red zone, but we also don't even really get close to the red zone. So we define this green region that you see, which is what we call the safe operating zone, that is separated from the failure zone by a safety margin region, which is shaded in white. We choose our safety devices to constrain operation to be inside of the green region, for example, our design might include a thermal fuse. Whenever the temperature increases beyond the fuse set point temperature, the fuse will trigger, and operation will cease. The operation boundary of the thermal fuse is drawn as a vertical line on this diagram. To the left of this line, the fuse in not activated, and operation continues as normal. To the right of this line, the fuse has activated and has shut down the battery pack. We might also consider using a resettable fuse. A resettable fuse is characterized by the diagonal line that's a function of both current and temperature. So whenever current goes above a certain level at the present temperature, or whenever temperature goes above a certain level at a certain magnitude of current, the resettable fuse will trip. And again, operation will cease until the temperature goes down enough that the fuse resets. We can also consider some kind of an electronic protection that is continuously monitoring the magnitude of the electrical current and will again, discontinue operation when the circuit determines that electrical current has gone above some magnitude. What's important in this diagram is that you notice that in order to go from the safe operating zone, shaded in green, to the unsafe, failure zone, shaded in red, a minimum of two of these protection mechanisms must be breached to do so. This means that to enter the failure zone, at least two of the protection systems will have failed completely. Or to put it another way, we're almost certain that we will never enter a failure zone because we have at least two protection mechanisms that will always keep us from doing so. Again, if one of our safety mechanisms fails, we will enter the white region, which is a safety margin. And it's still safe to operate in that region. It's only if two of our safety mechanisms fail that we will enter the failure zone. We can draw a similar diagram when we consider protecting against overvoltage and overtemperature together. The diagram on the right illustrates this with temperature, once again on the horizontal axis, but this time with voltage on the vertical axis. The thermal fuse can protect against over temperature. Different kinds of electronic protection can protect against overvoltage and undervoltage. For example, when we consider overvoltage, our battery management system might have dedicated electronics that monitor the voltage of individual battery cells and shuts down. Or the software in our battery management system might additionaly monitor these voltages and shut down when they become too high. Additionally, when we think about overvoltage, the most likely cause leading to overvoltage is when we're charging the battery pack, when we're plugged into a charger. So the charging system might have its own overvoltage circuitry or software detection mechanism that can notice if there's a problem and respond to it. On the undervoltage side, our battery management system can, once again, have either electronic or software-based undervoltage detection. And the load connected to the battery pack can also implement undervoltage protection mechanisms. We do need to be a little bit careful when adding these protection mechanisms, however, especially if they are electronic mechanisms. Because each of the devices that we add into the main current-carrying path will add some kind of resistance to that path. And that will reduce the power that's delivered to the load and also increase the amount of heat that's generated in the battery pack. It will also increase the cost of the battery pack because of the additional components that we're adding. So we don't want to add an enormous number of these protection devices. But we do want to be careful in our design to add a sufficient number to meet safety standards. Some examples to consider when designing safety mechanisms include a thermal fuse that operates when the present temperature is above some limiting temperature. A conventional fuse which is designed to prevent overcurrent but also operates based on an internal temperature. A note, however, on the conventional fuse is that it operates when it heats up internally, and an internal element vaporizes basically. And this may not act quickly enough to protect against some very rapidly accelerating event, such as the result of a short circuit. So we might need to consider more active fault detection, by which I mean an electronic device coupled with software, instead of some passive device. In addition to protecting the battery pack from environmental conditions that comprise safety hazards, we also need to be able to build into our design the ability to detect operational faults and to be able to tolerate, and whenever possible, rectify these faults. For example, current state of the art battery management systems use processors that have dual processing cores. These cores execute the same instructions at slightly different time offsets and then compare the results of the instructions against each other. When the results don't match, this can trigger execution of additional code that tries to recover from that fault or at least to inform the user that something went wrong. In a master slave battery management system, the slave systems can also often detect cell faults without any additional input processing by the master. For example, many of the battery management integrated circuits that we looked at previously can detect automatically overvoltage or undervoltage at a cell level based on thresholds that have been programmed into that slave by the master BMS. They can also often monitor for over temperature and under temperature since they are also measuring those quantities. And in some cases again, the slave integrated circuits themselves can be redundantly implemented, so that you have two slave chips measuring the same physical quantities and comparing results against each other. And if those results do not agree, then at least one of the results is wrong. And that can be reported to the master BMS, which will take appropriate action to respond to that. If a slave determines that there has been a very serious fault, it may, in some cases, be given authority to shut down the battery pack without involving the master microprocessor. This is an extreme condition and not one to be undertaken very frequently. But it can help to save a battery pack and to ensure safety when communications with the master microprocessor has been lost, or when the master microprocessor has failed entirely. Monitoring voltage faults and temperature faults is fairly simple, but there are some other types of faults that are much more complicated and must be detected using software. One example is the method that you learned for detecting isolation faults last week. All of this discussion also brings up the realization that the communications link between the master and the slaves must have very high electrical noise immunity or very high EMI, electromagnetic interference immunity. We really desire that the communication be robust and reliable and fault free in order to have an overall robust battery management system that's able to detect the safety of the battery pack and to perform all of its normal required operations. Whenever we're designing a battery management system for specific applications, it's also important to be aware that there are different international safety standards that must be complied with. For example, when designing a battery management system for a passenger vehicle that has a maximum vehicle weight up to 3,500 kilograms, we must comply with the ISO26262 safety standards. If we're designing a battery management system for an electric motorcycle, we must comply with ISO 19695. And this is similar to, but somewhat different from the ISO262. Or if we're designing a battery management system for trucks larger than 3,500 kilograms, which includes even commonly-seen vehicles like the Ford F250 or the Chevy Silverado and others, then we must comply with the IEC61508. Now, it's not the goal of this specialization to talk about safety standards. They're quite complicated, and they would require courses of their own, really to understand them and how to implement them. At this point, I simply want you to be aware that these standards exists, and it's important when designing a BMS, such that our software and hardware designs comply with these standards. The fact that there are different standards for different applications tends to make it difficult to have one universal BMS that can apply to any application at all. The safety standards I've listed all have the same general goals, but they are somewhat different in how they describe these goals and in how they apply them. For example, they define things called safety integration levels, or SILs, and evaluate them though in a different ways. So it's challenging to design to all of these standards simultaneously. And as I've mentioned, these standards are complicated and require courses or specializations of their own to understand them completely. When implementing BMS software, the amount of time and code required to satisfy the standards should also not be underestimated. Some of the colleagues that I have in the field tell me that 40%, 4 0, 40% or more of the BMS code is written specifically to address safety standards. So to summarize this lesson, you've learned that it's critical to protect the battery pack operator and the battery pack itself. It's good design practice to require multiple protections to fail before the battery pack itself is able to fail. Along the same lines, it's important to have redundant sensing and processing to make a robust design to enable fault detection. And finally, there exist international standards that inform as to the best practice designs that lead to robust and fault-tolerant implementations. But these are beyond the scope of this specialization. So that concludes this lesson on safety and protection. And from here, we move on to look at the remaining BMS requirements.
