NiMh battery charging IEC 61010 safety considerations

[DorianM223]

Hi,
I'm working on a handheld phase detector device which is powered by rechargeable NiMh batteries. I've been in this company for a year and don't have much experience with this. The device will be powered by 12V AC/DC adapter when charging. Most of the schematics are complete but im having trouble with the battery charging safety. In first iteration my predecessor used an LTC4060 charging chip but he had a lot of problems with it, which he never solved, so now my boss wants me to implement battery charging with main MCU and discrete components. The schematic went through few iterations and is complete but now we have to deal with passing the IEC 61010 safety.

Schematic in attachment. It's a stepdown converter design with 2 MOSFETS as a switch (Q19 and Q20, my boss said to put 2 MOSFETS instead of one because what if one shorts), MOSFET driver with a CR high pass filter that protects from MCU glitching, 1 main and 1 backup voltage measurement, a current shunt sensor and a slow 2A SMD fuse. IEC 61010-1 2017 states: "Batteries shall not cause explosion or produce a fire HAZARD as a result of excessive charge or discharge, or if a battery is installed with incorrect polarity." and "If necessary, a short circuit and an open circuit is made on any single component (except the battery itself) whose failure could lead to such a HAZARD." After reviewing the schematic we noticed that if the transistor Q14 would fail closed (or was shorted for testing) the batteries would be shorted to 12V and power could not be turned off. The remaining safety measure would be the fuse, which i don't want to count on solely. Maybe I could add another MOSFET at the 12V side to disconnect the power when in fault but that feels like avoiding the issue by adding more components. My question is how can ensure that even if the Q14 fails the device is still safe and won't explode or burn?

[temperance]

"Batteries shall not cause explosion or produce a fire HAZARD as a result of excessive charge or discharge..." and "If necessary, a short circuit and an open circuit is made on any single component (except the battery itself) whose failure could lead to such a HAZARD."

I'm not familiar IEC 61010 but what comes after "discharge..."

By controlling the charger with a micro controller, the software becomes part of the safety concept. How are you planning to provide proof of compliance for the software? The AC coupled gate drive doesn't help much if software is unable to properly detect if a battery is completely charged while somehow the timer responsible for a time out doesn't work. Also, this circuit is not protecting the battery pack in any way.

The question you to answer is if a single battery within the battery pack can becomes a hazard when overcharged/over discharged and fit proper protection onto the battery itself. (also after many years of use with some cells not charging while others are being overcharged or some cells seeing reverse charge the battery pack must remain safe)

-For overcharge: depending on the maximum charge current risk of thermal runaway.
-For over discharge: some cells will enter reverse charging and might, depending on the reverse charge current go into the thermal run away.

It is best to contact the battery manufacturer in order to find out what must be done in order to comply.

The norm also states:

If necessary, a short circuit and an open circuit is made on any single component

This means that some protection measures like thermal fuses and anti parallel diodes to prevent reverse charging must be fitted twice. (For fuses a single fuse might do. The norm will state this somewhere)

[DorianM223]

I'm not familiar IEC 61010 but what comes after "discharge..."

I edited the first post to finish the sentence, but I don't think it matters here since nothing will work if batteries are installed incorrectly.

How are you planning to provide proof of compliance for the software?

For that question I don't have an answer because that is not my department.

Also, this circuit is not protecting the battery pack in any way.

What do you mean by that? If software works fine and monitors the battery voltage, current and temperature correctly then there should be no problems.

...fit proper protection onto the battery itself."

Do you mean I need to measure the voltage of each cell? Then i have to find 3 terminal 2 AA battery holder. I haven't seen those yet, but haven't looked either.

For reverse charging, isn't the pack voltage indicative of that? We never plan to discharge batteries lower than 1V per cell so if one is reversed the voltage will be too low.

[temperance]

For that question I don't have an answer because that is not my department.

See comment below on single faults.

What do you mean by that? If software works fine and monitors the battery voltage, current and temperature correctly then there should be no problems.

The norm states that single faults will be introduced. A single protection circuit containing a micro controller will not do and fail the test. The easiest way to deal with the thermal run away problem is to simply fit two thermal fuses onto the battery pack. Job done, no software involved.

Do you mean I need to measure the voltage of each cell? Then i have to find 3 terminal 2 AA battery holder. I haven't seen those yet, but haven't looked either.

For reverse charging, isn't the pack voltage indicative of that? We never plan to discharge batteries lower than 1V per cell so if one is reversed the voltage will be too low.

That can work for four cells. Two very simple under voltage circuits in series will do and survive the single fault requirement again without software at all.

[jkostb]

The solution is simple. Just install a voltage clamp at the battery pack. If both P-channel mosfet are continuously on the inductor will go into saturation and 12V will be imposed over the battery. This is a fire hazard as you already determined. But if you have a voltage clamp then a large current will flow through the clamp. But then your fuse will trip and power is interrupted. Voltage clamp can be as simple as a zener diode

[temperance]

The solution is simple. Just install a voltage clamp at the battery pack. If both P-channel mosfet are continuously on the inductor will go into saturation and 12V will be imposed over the battery. This is a fire hazard as you already determined. But if you have a voltage clamp then a large current will flow through the clamp. But then your fuse will trip and power is interrupted. Voltage clamp can be as simple as a zener diode

This solution doesn't protect the battery pack from overcharge and possible thermal run away if the charger logic malfunctions. The clamp is not required because the batteries will act as a clamp and clear the fuse.

[David Hess]

AC couple the drive to the power MOSFETs so that if drive gets stuck on, the MOSFETs shut off.

[temperance]

AC couple the drive to the power MOSFETs so that if drive gets stuck on, the MOSFETs shut off.

The problem is not in the PWM but in the idea to use a micro as a safety mechanism when the norm requires the circuit to be safe under single fault conditions. And that can as well be the software and the micro controller. Ac coupling the gate drive doesn't provide any safety.

[David Hess]

AC couple the drive to the power MOSFETs so that if drive gets stuck on, the MOSFETs shut off.

The problem is not in the PWM but in the idea to use a micro as a safety mechanism when the norm requires the circuit to be safe under single fault conditions. And that can as well be the software and the micro controller. Ac coupling the gate drive doesn't provide any safety.

AC coupling will be necessary even if not sufficient.  I would not rely on the microcontroller for the regulation loop either, but common failures will lead to the MOSFET getting stuck on and AC coupling will mitigate them.

The original question was how to deal with Q14 shorting.

[temperance]

AC couple the drive to the power MOSFETs so that if drive gets stuck on, the MOSFETs shut off.

The problem is not in the PWM but in the idea to use a micro as a safety mechanism when the norm requires the circuit to be safe under single fault conditions. And that can as well be the software and the micro controller. Ac coupling the gate drive doesn't provide any safety.

AC coupling will be necessary even if not sufficient.  I would not rely on the microcontroller for the regulation loop either, but common failures will lead to the MOSFET getting stuck on and AC coupling will mitigate them.

The original question was how to deal with Q14 shorting.

The OP quoted a part of the norm to show the requirements and assumes that AC coupling the PWM signal will solve the problem. I'm pointing out that solving the "problem" with Q14 with some AC coupling (which needs a DC restore function and a resistor to quickly charge the capacitor in case of failure) doesn't help to fulfill the requirements.