Military and aerospace systems increasingly depend on rechargeable batteries for a wide variety of electronics and propulsion. Lithium-ion (Li-Ion) batteries are the most-used electrical storage medium due to a combination of high energy density, low self-discharge, and affordability. In particular, these batteries are used for a variety of maritime power system applications, and users, including the U. S. Navy, want to extend the environments and missions in which Li-ion can be used safely.
VTG in Chantilly, Va., is implementing a safety-critical battery-management system to increase the safety of Li-ion power systems during all phases of deployment. That Critical Battery Management System (CBMS) runs the INTEGRITY-178 tuMP safety-critical real-time operating system software (RTOS) from Green Hills Software in Santa Barbara, Calif., and will be fielded on special-operations submersibles that execute clandestine missions globally. With CBMS, the Navy will be able to bring Li-ion-powered vehicles aboard surface warships and submarines, adding to the list of assets available to fleet commanders. heat sink 15 10 1
The dangers of Li-Ion technology
The main danger of Li-ion technology involves the flammability of electrolytes inside the battery cells. Damage from aging or abuse can cause an internal short circuit that can ignite the electrolyte. Li-ion battery cells can get damaged through thermal abuse, electrical abuse (overcharge or over-discharge), or physical abuse (e.g., crush, drop, or bullet penetration), each of which can lead to an internal short circuit.
A short circuit of the battery cell generates significant heat, which intensifies the electrochemical reactions and generates additional heat. This thermal-runaway cycle continues as an exothermic chain reaction and releases large amounts of flammable gases, which can increase the internal pressure of the battery and cause an explosion and fire.
Although Li-ion battery fires happen somewhat rarely in small batteries that power consumer electronics such as laptop computers and power tools, battery fires are more common in high-powered battery propulsion systems such as electric bicycles (eBikes). As an example, Li-ion batteries in eBikes caused more than 200 building fires in 2022 just in New York City, with 147 injuries and six deaths.
The danger from Li-ion batteries increases with the capacity of the battery and its charging environment, storage area, and type of use. An eBike battery can store as much as 1.1 kilowatt-hours of power, and a typical electric vehicle is generally 60 to 100 kilowatt-hours.
Batteries in military and aerospace applications can double that or more. Confined spaces, such as aboard aircraft, submarines, and surface ships can increase the impact of a Li-ion battery fire in terms of equipment damage, injury to personnel, and loss of life. For example, in 2010, a UPS cargo flight crashed after its large payload of lithium batteries spontaneously ignited and the smoke filled the cockpit. And in 2013, a commercial aircraft under maintenance had flames and smoke coming from the Li-ion auxiliary power unit, which is used to power the electronic flight systems.
Several actions are possible to improve Li-ion system safety. First, improve the quality of design and manufacturing of the battery to reduce defects and improve battery life span. Second, encase batteries in containers that will protect the platform and personnel in the event of a thermal runaway. Third, improve the battery management system (BMS) to be safety-certifiable so that it will reliably prevent dangerous conditions from occurring. A great deal of money and effort has been spent on the first two actions. Yet it is the third option, improving the BMS, that is the most cost-effective way to meet aggressive mission requirements.
Because battery cells can be damaged easily by overcharging, all modern Li-ion battery solutions of significant capacity include a base-level battery monitoring system (BMS), which monitors the battery’s health, predicts an imminent failure, and shuts down all or part of the battery before failure.
A basic BMS generally monitors current and voltage during charge and discharge and controls charging to stay within the current and voltage limits. The consequences of improper charging can range from reduced life span to severe damage.
During discharge, the BMS monitors the battery and provides operators with alerts and warnings to allow for intervention before approaching unsafe operating limits. That includes, for example, not exceeding the current limits of the wiring and not going below the minimum voltage rating for each cell. During both charging and discharging, the BMS also monitors cell temperature as an indication of imminent thermal runaway. If a cell exceeds its temperature threshold, the BMS shuts down any active charging.
A BMS that simply measures temperature, voltage, and current, however, is not always sufficient to prevent a hazardous event or propagation to other cells. For example, when a model 26650 Li-ion battery is overcharged, there are only 4 minutes before a fire starts once the voltage exceeds the threshold and only 2.5 minutes once the battery exceeds the initial temperature threshold established by the manufacturer.
To address safety concerns with the use of Li-ion batteries on ships and submarines, the U. S. Navy has safety requirements that are designed to meet three goals: prevent a battery mishap by tightly monitoring and controlling the charging process; minimizing the possibility of personnel hazards; and using operational data to drive maintenance operations.
The ability to monitor and control the charging process tightly requires reliable sensor data, reliable communication paths for transferring data and information, visual indication of battery status, visual and audio alarms, and reliable controls. Methods to minimize the probability of personnel hazards involve circuit breakers, contractors, and avoiding exposed high-power connectors. Using operational data to drive maintenance operations requires a means to log battery health and status data during sorties and then use that data to drive maintenance analysis and procedures.
To improve the basic design of a BMS and meet the Navy’s requirements, VTG took a systems approach centered on MIL-STD-882E, “Department of Defense Standard Practice System Safety,” with an emphasis on creating a reliable system that provides early detection of battery conditions that indicate a potential hazard. The result is VTG’s Critical BMS or CBMS.
Li-ion battery packs generally include battery management electronics (BME) to monitor battery operating conditions, such as cell voltage and cell temperature. To get an earlier warning of a potential hazard, VTG instruments the battery with additional sensors beyond the voltage and temperature measurement provided by the BME. VTG’s CBMS measures heat sink temp, total battery voltage, battery current, pressure, and water intrusion to determine if it is safe to operate. Pressure is a particularly good early indicator because a short circuit in a Li-ion cell will cause off-gassing of the electrolyte, which increases the internal pressure of the cell.
To create an extremely reliable system to measure, report, and act on those readings, VTG leveraged a safety-certifiable operating system and hardware from commercial aviation due to the extremely high level of rigor in meeting safety assurance objectives. For example, aviation hardware that meets the highest design assurance level (DAL A) must have a probability of failure of less than 1x10-9/flight-hour.
VTG selected the INTEGRITY-178 tuMP RTOS to run on the CBMS because it meets the DAL A as defined in RTCA/DO-178C, “Software Considerations in Airborne Systems and Equipment Certification.” Likewise, the CBMS runs on computer hardware that meets RTCA/DO-254, “Design Assurance Guidance for Airborne Electronic Hardware.” The application software developed for the CBMS achieves a Level of Rigor driven by MIL-STD 882E, including path analysis validation.
The VTG CBMS includes reductant fault-tolerant monitoring and control as per MIL-STD 882E. The redundancy extends down to the sensor level and up through the components of the CBMS so that there is no single point of failure. Additionally, each component is selected and screened for a very high mean time between failures (MTBF).
The CBMS includes redundant Critical Battery Monitoring Unit and Interface Ethernet Converter pairs, each connected to the battery over Ethernet. A Critical Battery Management Computer oversees the charging process, which is when the greatest danger of a short circuit occurs. During charging, the CBMS monitors the battery and terminates the charging process if any sensor value is out of tolerance. Because the CBMS provides multiple mechanisms to terminate charging, both automatic and manual, the separate charging system does not have to meet safety-critical requirements.
The CBMS can be down-sized to just the Critical Battery Monitoring Unit and Interface Ethernet Converter pair to achieve a smaller size during operational use or for lower-cost monitoring during transportation. Although the greatest risk thermal of runaway occurs during charging and usage, there is still significant risk even during storage and transportation. That is because any defects or wear in the Li-ion cell components can cause a long slow reaction that eventually builds to hazardous levels even when not in use.
Extending the life of Li-ion batteries
Beyond ensuring Li-ion batteries are safe, the CBMS also reports on and enhances the battery capacity over time. Two vital indicators calculated by the CBMS are the State of Charge (SOC) and the State of Health (SOH). The SOC is the percentage of remaining battery capacity, which is based on the history of voltage and current during charging and discharging. The overall capacity of the battery also depends on factors such as age and operating temperature. The SOH measurement predicts the time or distance achievable with a given SOC and indicates when a battery should be replaced. For the VTG CBMS, the SOH reporting also includes full diagnostics of all the hardware and software. Those diagnostics identify the source of any fault, for example, if the CBMS needed to shut down the charging cycle early.
A sophisticated CBMS can perform cell balancing to increase cell longevity and preserve battery module capacity. Over time, slight variations in cell manufacturing, usage, or environment can cause different cells in a module to end up with different voltages and SOC. Discharge must stop when any cell goes below the minimum voltage, even if other cells hold a significant charge. Likewise, charging must cease when any cell reaches its maximum voltage. The VTG CBMS performs cell balancing by passively bleeding off energy from the most charged cells until they reach the level of the least charged cells to equalize the SOC. Once equalized, all the cells can be charged to the maximum voltage.
Safety and security in operating systems
The INTEGRITY-178 tuMP safety-critical RTOS from Green Hills Software has a long history of meeting DO-178B/C safety assurance requirements to DAL A starting in 2002. Green Hills Software has provided certification evidence for over 80 different customer programs for applications such as flight control electronics, fly-by-wire, and Full Authority Digital Engine Controls (FADECs). Many of those systems have similarities in architecture with the VTG CBMS, such as a FADEC that has two mechanically separated channels operating independently but cooperating with each other. The second channel provides full capability should a failure occur in the primary channel.
The INTEGRITY-178 tuMP runs applications in different memory address spaces called partitions and guarantees that no application running in one partition can affect an application running in a different partition. The partitions are separated in three dimensions: memory space, processor time, and operating system resources. The result is full fault isolation and data isolation of partitions.
In addition to meeting the safety assurance objectives of DO-178C to DAL A, INTEGRITY-178 tuMP also meets security assurance objectives of ISO/IEC 15408 “Common Criteria for Information Technology Security Evaluation” to Evaluation Assurance Level 6+ (EAL 6+). EALs range from 1 to 7, where EAL 6 and above provide resistance to penetration attackers of “high” attack potential, such as those from well-funded and determined nation-states. After all, if a system is not secure, then a hacker can disable the safety guards. Because thermal runaway can occur quickly if a battery is overcharged at a high current, the cyber security of the CBMS becomes a critical component of safety assurance.
Power-hungry military and aerospace systems require Li-ion batteries to meet their energy density goals. Li-ion batteries can be a fire safety hazard due to the use of flammable electrolytes and the possibility of short circuits caused by physical, thermal, or electrical abuse or extended lifetime wear and tear. A sophisticated battery management system can greatly reduce the risk of fire, but only if the battery management system is operating correctly. The best solution is to use a safety-critical battery management system that employs a fault-tolerant systems design and leverages a safety-critical operating system designed to meet DO-178C airworthiness to the high design assurance level (DAL A). VTG has done just that with their MIL-STD-882E CBMS running the INTEGRITY-178 tuMP safety-critical RTOS.
For more information, contact VTG online at www.vtgdefense.com and Green Hills Software at www.ghs.com/integrity-178.
Richard Jaenicke is marketing manager at Green Hills Software in Santa Barbara, Calif.
synthetic diamond heat sink Rick Nicklas is vice president of engineering and digital solutions at VTG in Chantilly, Va.