Boeing’s Dreamliner program runs into trouble with lithium ion batteries
Lithium batteries performance in providing lightweight, low volume power storage has made them a ubiquitous part of modern consumer life. And high power density also makes them attractive in applications, such as aerospace, where weight and space are at a premium. Unfortunately lithium batteries are also very unforgiving if operated outside their safe operating envelope and can fail in a spectacularly energetic fashion called a thermal runaway (1), as occurred in the recent JAL and ANA 787 incidents.
This increased risk in Lithium batteries relative to other battery technologies is widely recognised, so much so that in the FAA’s ruling on the aviation application of Lithium batteries it noted that they were, “significantly more susceptible” to fires than other types and added that such fires are hard to extinguish as, “Metallic lithium can ignite, resulting in a self-sustaining fire or explosion.”.
So when Boeing approached the FAA in 2003 to request guidance on the use of Lithium batteries the FAA set nine (2) special conditions for their use in Boeing’s Dreamliner including:
- Maintaining safe temperatures and pressures during normal charging and discharging conditions including failures conditions of the battery monitoring and charging systems where such failures have a likelihood greater than extremely remote (3),
- Preventing explosion in the event of a failure,
- Prevent the occurrence of self sustaining, uncontrolled increases in pressure or temperature,
- Prevent the build up of toxic/explosive gases in hazardous quantities due to all failures of the battery or charger/monitor systems with a likelihood greater that extremely remote,
- Prevent any fluid or gas escape from causing damage to aircraft or adjacent systems, equipment or EWIS of a major or greater severity,
- Prevent heat from a battery short circuit causing any hazardous effect on structure or essential systems,
- Provide monitoring and warning indication to flight crew of the battery charge to indicate when such charge is below that considered safe for dispatch of the aircraft,
- Control the battery charging function to prevent over charging or over heating of the battery including:
- a battery temperature sensing and over temperature warning,
- automatic disconnection of the battery from charging source in the event of an over temperature,
- battery failure sensing and warning system, and
- automatic disconnection of the battery from it’s charging source in the event of battery failure.
The FAA eventually approved Boeing’s contain and vent approach to dealing with a lithium battery fire, deeming it sufficient to control the build-up of explosive or toxic gases except in situations that were considered extremely remote (4).
As the picture below indicates Boeing, and Thales as the battery system supplier, elected for a containment strategy at the ‘battery’ level. Unfortunately what that means is that a thermal runaway in one cell is not quarantined from the other cells in the battery and as a result the likelihood of a battery level fire or worse is driven by the likelihood of an individual cell failing within the battery. Of course as the number of cells goes up so to does the cumulative likelihood of failure.
Now I wonder if Boeing or Thales safety analysis considered this common cause effect? Certainly there seems to have been little consideration of where the vent discs, located on the ends of the battery cells, would vent to, apart from into the interior of the battery box and all over the other cells…I’d also be interesting to see whether the safety engineering for the battery included a formal demonstration that a thermal runaway in one cell would not cascade to the next (5).
A practical approach to reducing this common cause vulnerability would be to introduce partitions into the design to separate cells into individual bays. This could also (if a hollow wall barrier design was adopted) improve cooling air flow through the battery thereby reducing the likelihood of a cell thermal runaway actually occurring in the first instance. Similarly if a vent disc is provided then it should vent somewhere safe, and ideally safe for both aircraft and other battery cells. Had such a lower level containment strategy been adopted in my opinion it’s probable that the the battery failure would have terminated at an individual cell level and we would have heard no more of it.
So if we intend to use lithium batteries in a passenger aircraft it means that the battery and it’s charge/discharge cycle needs to be very carefully managed. Enter the need for a Battery Management System (BMS). In the 787 the BMS is comprised of the Thales Battery Charger Unit as well as the GS Yuasa battery box and it’s internal electronics. As long as the BMS does it’s job of maintaining the battery within it’s safe operating envelope everything is fine, presuming the battery is itself not defective in some way.
Now if the BMS fails and overcharges the battery the result can be a catastrophic cell runaway. Nor is the likelihood of a subsequent thermal runaway dependent upon the magnitude of the overcharge. As it turns out, even slight overcharges, while not enough to directly initiate a runaway, can cause cumulative damage that if repeated over time eventually result in triggering a thermal runaway in the damaged cell.
A failure of the BMS that results in over discharging a cell will usually not directly result in a thermal runaway but again, if repetitive cycles of over discharge do occur, the cumulative damage can trigger a cell runaway.
If such low level chronic damage from poor batter management practices was the primary cause of this event then one would expect also to see a history of reduced battery life, stories of individual cell damage and increased frequency of non-safety related battery change-outs, presuming the batteries themselves are not defective. There is some, albeit apocryphal, evidence that this may be the case.
The problem of battery management is also made more complex because we are actually concerned with individual cell behaviour and cells, being electro-chemical devices, tend to diverge in performance over time. So if, for example, the BMS only monitors the battery temperature rather than individual cell temperatures due to it’s design or a sensing failure, it may not detect that an individual cells temperature is unsafe until the cell has progressed well into a thermal runaway.
Generally individual cell voltage and overall battery current should also be monitored by the BMS to maintain the battery within its safe operating envelop. If these parameters are not monitored due to design oversight or failure of the sensing system then an unsafe state can easily arise where an individual cell is being overcharged because it has diverged from the nominal cell performance.
To summarise for safety the BMS must ensure that the battery and its cells is maintained within the overall safe operating envelope at all times not just control hazards associated with excessive charging and to do so it needs to know what’s happening at the cell level. The design onus is therefore on the cell manufacturer (GS Yuasa in this case) and the BMS designer (Thales) to establish a safe operating envelope of current, voltage and temperature for all modes of operation, as is laid out in such standards as IEEE 1625 and 1725 (6).
As the picture of the B787 Auxiliary electronics bay below graphically illustrates while the battery fire did not propagate further into the bay, there was definitely some heat and smoke damage to adjacent structures, so the FAA ruling and Boeing’s subsequent contain and vent policy may be judged a qualified success. But maybe if Boeing had adopted a containment policy at one level down in the architecture the problem of lithium battery runaway’s although of concern would not have grounded the Dreamliner fleet.
So on the face of it while this seems to be a ‘new technology’ component issue, and that seems to be where the NTSB is heading in it’s investigation, there are intertwining questions of the adequacy of the regulator’s initial advise, how the safety architecture was implemented, how common cause effects were considered, the organisational interface between battery and BMS designers and finally whether the importance of maintaining the batteries within their safe operating environment at all times was recognised.
1. Thermal runaway results in rapid temperature and pressure increases inside individual battery cells with subsequent violent venting and auto-ignition of the battery cell’s electrolyte. In the worst case a thermal runaway in one battery cell heats up adjacent cells causing a chain reaction of thermal runaways leading to a battery fire and in some instances explosion.
Thermal runaway is actually a general problem in battery design rather than being unique to lithium batteries. However in lithium batteries the cell chemistry and power densities involved make the consequences of a runaway significantly worse.
2. There’s actually more than 9 FAA conditions as some of them are compound requirements.
3. The term ‘extremely remote’ as used by the FAA has a defined qualitative and quantitative meaning meaning, “Not anticipated to occur to each item during its total life. May occur a few times in the life of an entire system or fleet. (less that 10e-7 but greater than 10e-9 per operating hour)”. This places the likelihood two orders of magnitude below the traditional “Extremely Improbable (less that 10e-9 per operating hour)”.
4. Note that all the above FAA conditions equally apply to other civilian aircraft including the A380 which also uses lithium batteries.
5. Without actual empirical evidence this may have been argued on the basis of ‘engineering judgement’ or in the worst case simply not addressed at all.
6. Of course if these safety management functions are implemented in software it could turn out that the cause of the thermal runaway and battery fire may actually be a software fault. Although at the moment that’s not where the NTSB investigation is heading.
Mikolajczak, C., Michael, K., White, K. Thomas Long, R., Lithium Ion Batteries Hazard and Use Assessment, Final Report, Exponent Failure Analysis Assoc. for The Fire Protection Research Association, July 2011.