Category Archives: Risk Assessment

Boeing’s Flaming Lithium Batteries: Was This A Risk Worth Taking?

boeing_batteryIn DACI’s 1st Quarter 2012 newsletter I predicted that a catastrophic safety event would eventually occur due to lithium batteries (please see “Li-Ion Battery Pack Hazards and our Psychic Prediction“). The recent fires in the initial flights of the new Boeing Dreamliner have come close to fulfilling that prophecy.

From “Detecting Lithium-Ion Cell Internal Faults In Real Time” (Celina Mikolajczak, John Harmon, Kevin White, Quinn Horn, and Ming Wu, in the Mar 1, 2010 issue of Power Electronics Technology) it is known that internal cell faults in lithium batteries can lead to thermal runaway, subsequently resulting in fires and/or explosions. Therefore the question arises: do the Boeing lithium batteries have an advanced internal construction that prevents cell faults, or mitigates thermal runaway in the event of a fault? If not, the Boeing team or vendor responsible for the battery system design is in big, big, trouble.

Although deficiencies in basic battery chemistry and/or construction appear to offer the best root cause hypothesis for the fires, there are also other possible factors. For example, it has been reported that perhaps the charging system malfunctioned, causing the batteries to overheat. However, a properly designed charger for an aircraft application would have fail-safe protection, preventing an overcharge. Plus, it was also reported that charging sensors did not detect an overvoltage. Although these factors sound reassuring, they are not sufficient to eliminate the charger from consideration. For example, one can hypothesize a charging waveform that contains spurious high frequency oscillations that create high rms charging currents. This would not necessarily result in overvoltage, but could result in overheating.

It is also possible that battery “cell defects” are nothing more than cell imbalances that vary according to production tolerances. In other words, the lithium battery, by its very nature, tends towards thermal runaway unless the internal cells are very tightly matched. This sensitivity would become more pronounced with a higher number of cells and higher mass, which would explain why no explosions have occurred in  small button-style batteries, but do occur in the larger batteries.

There are other scenarios, including the thorny possibility that some combination of conditions conspired to create the failure. And, of course, the root cause may be highly intermittent, making detection extremely difficult. Such hypotheses are undoubtedly being examined by the Boing engineers. I wish them well, and hope that they are allowed to perform their work calmly, methodically, and thoroughly.

Note: Because it may take quite a long time to conclusively establish a root cause, I would suggest that Boeing immediately begin planning to retrofit the lithium system with one containing battery types that have not shown the proclivity to explode; e.g. nickel metal-hydride, or sealed lead acid gel. Heavier, yes, but in this case safety and the economic timeline indicate that it would be wise to be prepared with a retrofit design.

(For some brief guidelines on design failure crisis management, please see Scenario #6: “Coping with Design Panic,” in The Design Analysis Handbook, Appendix A, “How to Survive an Engineering Project.”

-Ed Walker

Four Costly Myths About Worst Case Analysis

Myth #1: Worst Case Analysis (WCA) is a rigidly defined mathematical method of determining the limits of performance of a design.

There are actually a few different types of WCA, primarily:

Extreme Value Analysis (EVA)

Statistical Analysis (Monte Carlo)

WCA+

WCA+ is safer than Monte Carlo and more practical than EVA. Monte Carlo can miss small but important extreme values, and EVA can result in costly overdesign. WCA+ identifies extreme values that statistical methods can miss, and then estimates the probability that the extreme value will exceed specification limits, thereby providing the designer with a practical risk-assessment metric. WCA+ also generates normalized sensitivities and optimization, which can be used for design centering. (Ref. http://daci-wca.com/products_005.htm)

Myth #2: Worst Case Analysis is optional if you do a lot of testing

To maintain happy customers and minimize liability exposure, the effects of environmental and component variances on performance must be thoroughly understood. Testing alone cannot achieve this understanding, because testing — for economic reasons — is usually performed on a very small number of samples. Also, since testing typically has a short time schedule, the effects of long-term aging will not be detected.

Myth #3: Worst Case Analysis is optional if we vary worst case parameters during testing

Initial tolerances typically play a substantial role in determining worst case performance. Such tolerances, however, are not affected by heating/cooling the samples, varying the supply voltages, varying the loads, etc.

For example, a design might have a dozen functional specs and a dozen stress specs (these numbers are usually much, much higher). To expose worst case performance, some tolerances may need to be at their low values for some of the specs, but at their high or intermediate values for other specs. First, it’s not even likely that a tolerance will be at the worst case value for a single spec. Second, it’s impossible for the tolerance to simultaneously be at the different values required to expose worst case performance for all the specs. Therefore it’s not valid to expect a test sample to serve as a worst case performance predictor, regardless of the amount of temperature cycles, voltage variations, etc. that are applied to the sample.

Myth #4: Worst Case Analysis is best done by statistics experts

No, it is far better to have WCA performed — or at least supervised — by experts in the design being analyzed, using a practical tool like WCA+ that employs minimal statistical mumbo-jumbo. Analyses (particularly cook-book statistical ones), when applied by those without expertise in the design being analyzed, often yield hilariously incorrect results.

-Ed Walker

1st Qtr 2012

(c) 2012 Design/Analysis Consultants, Inc.
Newsletter content may be copied in whole or part if attribution
to DACI and any referenced source is prominently displayed with the copied material

This Issue: NEWS BITE: Creepy Swarming Electronic Insects Are Real! / GOVERNMENT FOOLISHNESS and Incandescent Bulbs / WORST CASE ANALYSIS and the Fukushima Nuclear Plant Meltdown / RISK ASSESSMENT and Lithium Battery Explosions / ANALYSIS QUIZ: Answer To Last Quarter’s Question / DESIGN MASTER 8.2 UPGRADE if you’ve had troubling generating WCA reports on a Win7 PC

NEWS BITE: Creepy Swarming Electronic Insects Are Real!


.
GOVERNMENT FOOLISHNESS: Incandescent Bulbs Banned? No Problem, Just Buy A Heat Ball
.
.

From “Upset about Big Brother’s Ban on Incandescent Bulbs? Buy a Heatball!
by Selwyn Duke in the 30 Dec 2011 issue of American Thinker

For earlier Newsletter comments on the absurdity of banning incandescent bulbs, please see “Unintended Consequences: Nanny Engineering” in the 2nd Qtr 2011 issue.

WORST CASE ANALYSIS: What We Learned From Fukushima – Again

“Japan is not a technically backward country  … Its nuclear power plants were designed and built with an acute consciousness of extreme earthquake dangers.

“So how is it, despite that sophistication, awareness, and preparedness, that the Fukushima crisis has nonetheless exceeded worst-case thinking? Here, the story is reminiscent of Three Mile Island and Chernobyl, and the message seems to be the same: Worst-case scenario builders consistently underestimate the statistical probability of separate bad things happening simultaneously, as the result of the same underlying causes. [Emphasis added]
Japan Nuclear Accident Worse Than Worst, Again” by Bill Sweet, 12 Mar 2011, Energywise
Image: http://www.digitalglobe.com

RISK ASSESSMENT: Li-Ion Battery Pack Hazards and our Psychic Prediction

“Internal cell faults continue to lead to thermal runaway failures in Li-Ion battery packs used in the field. Though these events are rare, the proliferation of Li-ion-powered consumer electronics has increased the risk for an event occurring on an aircraft, or at a similarly inauspicious location or time … At present there is no [battery] pack-protection circuitry in commercial use that is designed to continuously monitor the cells for the symptoms of a latent incipient internal cell fault before such a fault causes thermal runaway.”
Detecting Lithium-Ion Cell Internal Faults In Real Time” by Celina Mikolajczak, John Harmon, Kevin White, Quinn Horn, and Ming Wu, in the Mar 1, 2010 issue of Power Electronics Technology

Even though there have been several fires and a few folks have been injured or killed due to exploding lithium batteries, we predict that the risk will be tolerated until a catastrophic explosion occurs. This will be  followed by the usual screaming headlines belatedly warning of the dangers, hind-sight experts suddenly popping up on TV, hand-wringing congressional investigations, and finally, heavy-handed and grossly over-reactive governmental regulatory responses.

ANALYSIS QUIZ (Answer from Last Issue): Adjustable 3-Terminal Regulator Output Tolerance

.
An LM317T regulator with 36V input is set for 24V nominal output, using 1/8W 1% 100ppm thick film resistors (10K and 549 ohms). The regulator must deliver 1A and operate from 0 to 50 C for 10,000 hours.


Q: What will be the approximate worst case output tolerance?

-2/+2%        -4/+5%         -7/+6%         -6/+11%         -9/+15%

A: -9/+15%

Surprised? You might be if you only consider initial tolerances, and don’t factor in the effects of temperature and aging. Here are the normalized sensitivities, which gives one a better sense of the significant error contributors:

DESIGN MASTER™ 8.2 UPDATE: WCA Report Generator Bug Corrected

To facilitate the efficient creation of professional worst case analysis reports, Design Master includes an automated Word document report generator, based on Microsoft Office automation technology. We’ve recently had a few Win7 users notify us that the report function is not operable on their systems. Although Design Master has been tested on other Win7 systems with no problems, variations in Win7 system speed appear to prevent the report generator from functioning properly in some cases. Design Master Rev 8.2 allows more tolerance for speed variances, which has corrected the reported issues.