The following is a battery level Fault Tree Analysis (FTA) of a typical battery system architecture for an electric Vertical Takeoff and Landing (eVTOL) aircraft or an aircraft with an electric or hybrid-electric powertrain. This type of FTA is required by DO-311A Minimum Operational Performance Standards for Rechargeable Lithium Batteries and Battery Systems.
DO-311A Requirements Summary
DO-311A Appendix C prerequisites:
- Critical functions including control and protective functions that include airborne electronic hardware shall be designed and approved to RTCA DO-254 design assurance level A.
- Critical functions including control and protective functions that include software shall be designed and approved to RTCA DO-178 design assurance level A.
- Perform a Battery System Safety Assessment (SSA) including: Functional Hazard Assessment (FHA), Fault Tree Analysis (FTA), Failure Modes and Effects Analysis (FMEA), and a common mode analysis per SAE ARP 4761 that addresses hazards as identified in 2.1.7.b.
- The FTA shall demonstrate the battery and battery system critical functions including control and protective functions have a probability of catastrophic failure of 10E-9 or less.
2.4.5.5 Battery Thermal Runaway Containment Test:
- 2.4.5.5.1 i.e. overcharging
- 2.4.5.5.2 i.e. overheating
- According to Boeing “….ignores standard aerospace practices of relating failure severity to probability objective.”
- Boeing suggests a more ‘robust’ and Airbus suggest a more ‘plausible’ (e.g. SAE J2464 4.4.5) Single Cell Thermal Runaway Containment Test
- Appendix C alternate test method for Battery Thermal Runaway Containment Test
Guidelines for the selection of cell pairs are as follows:
- pair is defined as 2 cells adjacent to each other. The pairing of cells should take into account spacing and heat transfer characteristics to maximize the potential for propagation to other cells.
- For batteries with 10 cells or less, the number of cell pairs should be equal to or greater than the number of cells divided by two, rounded up. For odd numbers of cells, one cell will be tested twice.
- For batteries with more than 10 cells, select 5 pairs to include the following locations in the battery, as applicable: center, wide face, narrow face, corner, and edge. In a battery with a large number of cells (>>10) or with complex geometries, more than 5 cell pair locations may need to be tested to get comprehensive coverage.
DO-311A table C–1: minimum number of batteries to be tested:
| Number of cells per battery | Minimum number of batteries to be tested |
| 1 | n/a |
| 2 | 1 |
| 3 | 2 |
| 4 | 2 |
| 5 | 3 |
| 6 | 3 |
| 7 | 4 |
| 8 | 4 |
| 9 | 5 |
| 10 | 5 |
| 11 | 5 |
Test method:
- Either overheat or overcharge.
- Report the following information:
- The data and evidence showing compliance with the prerequisites of section C.1.
- Rupture of the EUT housing.
- Emission of gas, smoke, soot, or fluid from the EUT.
- A tabular or graphical representation of the trigger cell voltages and temperatures,
- EUT external temperature, and the temperature of gases that exit the EUT, as a function of time.
- Objective evidence, confirmed by post-test inspection, that at least the two trigger cells achieved thermal runaway.
Note: overheat is normally used. However, wiring itself can interfere with the test.
System Architecture
System architecture of a typical battery system:
Fault Tree Analysis: Uncontrolled Thermal Runaway
FTA for battery system:
Fault Tree Analysis: Uncontrolled Thermal Runaway (1 of 14 branches)
Branches of FTA for battery system:
