Circuit analysis of a cheap BMS, and why you shouldn't use one

MAXIMUM_AMPS

10 mW
Joined
Nov 13, 2019
Messages
33
Hello folks, I am an embedded systems engineer. I design and program all kinds of electronics, as a hobby and a profession. Electronics from realtime control units that run constantly for years at a time, to "simple" electronics like BMS boards.

Battery Management Systems are safe and convenient when they actually work, but on the flip-side, can be outright dangerous when they aren't protecting and balancing every cell.

To get my point across more concisely, I will show the schematic for a common, cheap and dangerous li-ion BMS. This design is used in the infamous, fire-prone :flame: hoverboard batteries: View attachment 1

This is a very unsafe design for 3 reasons:

1. Each of the protection chips (DW01A) is separate, there is no cooperation. Meaning: one chip could fail, due to ESD, water droplet, etc. Then that cell group is completely unprotected, opening up the possibility that the cell group could become overcharged and explode unexpectedly! With a 2-wire monolithic design, if one part fails, due to ESD, etc, the output FETs are turned off PERMANENTLY. This is much safer, as charge can no longer flow in or out. Crisis averted, while also alerting the user of the failure.

2. For exactly this reason, the manufacturer states clearly that the DW01 is a 1S ONLY protection chip. Using them as a 4S, 10S, 14S, etc is NOT RECOMMENDED because of this safety hazard! That's what the "01" in DW01 stands for! Here is the datasheet confirming my claim: http://www.kexin.com.cn/pdf/DW01.PDF

3. The protection and balancing chips are separate, leading to a condition where the balance chip fails, and the cell group is no longer able to bleed overcharge anymore. This is less dangerous, but still a design flaw stemming from using a 1S protection chip incorrectly. Proper multi-cell chips will perform balancing as well as protection.



Here's an example of an e-bike BMS using the exact same design but extended to 10S. I've seen clones of this circuit expanded to 13S, 14S even 20S, and are as cheap and abundant as they are unsafe.

DO NOT risk them. Buy a proper, high quality 2-wire BMS with a monolithic multi-cell IC. They cost more, but are are 1000x safer and cheaper than a fire!

When working with electronics, ESPECIALLY a safety critical item like a BMS, be sure to practice proper ESD precautions! This can make the difference between a house fire and no house fire!
 
Please link to some brand-identifiable yet reasonably priced examples you think are safer & more reliable.
 
john61ct said:
Please link to some brand-identifiable yet reasonably priced examples you think are safer & more reliable.

I'd be happy to, although there's not a huge variety or major brands in this industry, unfortunately.
Cost highest to lowest:

Higher end examples: https://energusps.com/shop/category/battery-management-4

Similar to what EM3EV uses in their batteries:
https://www.lithiumbatterypcb.com/product/7s-8s-10s-li-ion-or-lifepo4-battery-smart-bluetooth-bms/


I am planning on building a BMS built around TI's upcoming IC the BQ75614. https://www.ti.com/product/BQ75614-Q1.
It's AEC-Q100 qualified for automotive use, has additional ESD immunity not seen in most other BMS ICs, 240ma balance current without external balancing FETs. All around superior to most of what's on the market right now.
 
I would want as much adjustability in the various setpoints as possible, ideally supporting in the same unit both LFP and LTO as well as the 3.7-4.2 others.

Ability to disable balancing completely,

to use external contactor(s),

low and high temperature protection of course

fully sealed to IP specs, hardened against extreme shock & vibration, marine conditions

CAN control of chargers in failsafe mode, as with Elcon and others,

ideally ability to report logging over GPRS,

maybe a GPS tracking add-on

while your at it.

But most important, ability to shut everything down upon BMS failure
 
Can you please review some BMS that is affordable but you find good? How about the ANT BMS?
 
The core of this design is going to be enhanced ESD protections, so there's no chance of the system taking damage from hobbyists with poor ESD practices. I believe this is the #1 reason by far for mysterious DIY failures. I am aiming for AT LEAST IEC-61000-4-2 Level 3 protection. Only after the system is properly "armored" against ESD strikes, I will implement conformal coating for shock/waterproofing and extra functionality.

Host MCU STM32F107 (possibly swap this one for a Cortex R-series MCU), which would of course provide:

UART to BQ75614
USB or UART to a host PC (to configure voltage balancing point, update firmware)
Audio alerts through piezo buzzer
CAN interface to CAN charger, CAN-enabled status display, and possibly a custom CAN-enabled controller
UART interface to a bluetooth module (to configure voltage balancing point)
SPI to IMU, SD card for verbose data logging, possibly even a DAC + amp for customizable audio alerts!
UART to optional GPS/GSM module. I will definitely implement it last, this is by far the most complex functionality.

john61ct said:
I would want as much adjustability in the various setpoints as possible, ideally supporting in the same unit both LFP and LTO as well as the 3.7-4.2 others.

Ability to disable balancing completely,

to use external contactor(s),

low and high temperature protection of course

fully sealed to IP specs, hardened against extreme shock & vibration, marine conditions

CAN control of chargers in failsafe mode, as with Elcon and others,

ideally ability to report logging over GPRS,

maybe a GPS tracking add-on

while your at it.

But most important, ability to shut everything down upon BMS failure

Sounds like a very comprehensive list of features! Fortunately the BQ75614 supports half of them in hardware:

No FETs, but support for external relay/contactor. (as well as open/close diagnostics for the relay)

Hardware comparators for over temp, under temp (both disable balancing + output), overvoltage and undervoltage (configurable to battery chemistry)

5V disabled during emergency shutdown mode. (MCU and peripheral functions powered off)
 
Tommm said:
Can you please review some BMS that is affordable but you find good? How about the ANT BMS?

:thumb:

The ANT BMS looks very nice, functionality wise. I can't get a good look at the internals, but it's a 2-wire, which is a good sign. The ultra-cheap fire hazard BMS boards are almost exclusively 3-wire. (not to say that ALL 3-wire units are bad)

Unfortunately, the affordable BMS units have little-to-no built-in ESD protection. I've yet to see one that meets IEC-60004-2 level 1 standards or even any mention of ESD safety. The best ESD prevention is to use an ESD wrist-strap attached to a solid ground point when handling the BMS. A quality ground point like the outer case of an ATX PSU, a microwave (or any 3-prong appliance).

For extra peace of mind, a (grounded) ESD-mat is also recommended for electronic work. ESD mats like this linked below will allow the board (and you) to slowly, and safely discharge any static charge that can damage sensitive ICs. When your BMS arrives, being careful not to touch the bare board, dump it onto the mat, within seconds the accumulated static charge will be dissipated. Double check that your wrist strap is grounded and in good contact with your skin, and you're ready to safely work.

Example:
https://esdproduct.com/ .

As for waterproofing, insulating varnish on the bare board + dielectric grease on the connectors is certainly a help. By no means IP68 waterproof, but far, far more resistant to splashing and condensation.
 
Yeah, it is hard to find good pictures really close to ANT BMS. There is some picture, but it is quite bad too. You cannot see what components they used etc.

6dd2959d1bc68746ec97d61e36a3855e.jpg
 
Nixunen said:
Yeah, it is hard to find good pictures really close to ANT BMS. There is some picture, but it is quite bad too. You cannot see what components they used etc.

6dd2959d1bc68746ec97d61e36a3855e.jpg

Nice find! From the pic, I believe it's a clone of this (much clearer photos): https://imgur.com/a/DZ9X4tx

I found this pic on reddit, a user blew his BMS. :(

https://www.reddit.com/r/ebikes/comments/e4oxr8/i_just_bricked_a_130_bms_venting/

As usual, practice ESD safety at all times when working with bare PCBs, ESPECIALLY safety critical components like BMS units.
 
Sounds like you may have explained what happened when my house burned. All we know is a battery left on the charger too long burned the garage down. But I have long suspected the bms failed me somehow.
 
dogman dan said:
Sounds like you may have explained what happened when my house burned. All we know is a battery left on the charger too long burned the garage down. But I have long suspected the bms failed me somehow.

Very sorry to hear that. I hope your insurance did you right.

That's very common for a BMS to fail and become unable to trigger OVP. Overvoltage when charging is by far the most dangerous thing possible with a Li-Ion cell!

Unfortunately human bodies are good capacitors, very effective at damaging modern electronics (especially MCUs, FETs, small SMT components). Due to advances in semiconductor fabrication, unprotected devices are expected to become even more sensitive in the future!

Read more on ESD safety:

https://www.minicircuits.com/app/AN40-005.pdf

http://www.electronicsandyou.com/blog/esd-safe-electrostatic-discharge-safety.html

https://en.wikipedia.org/wiki/Electrostatic_discharge
 
Until some manufacturers decided to seek UL/CSA/CE approvals. most hoverboard batteries had no overvoltage protection or balance circuitry, At least, that's what I saw when I bought packs in 2017.

Mine used what you call the three wire BMS, but used the P- side for both charging and discharge. The C- was left unnconnected. So they were bound to catch fire if the chargers ever over volted.

One guy who used to support U.P.P. packs says their products don't use balance circuits. Could be right. I have a few U.P.P. packs that are always a few few tenths low.
 
MAXIMUM_AMPS said:
The core of this design is going to be enhanced ESD protections, so there's no chance of the system taking damage from hobbyists with poor ESD practices. I believe this is the #1 reason by far for mysterious DIY failures. I am aiming for AT LEAST IEC-61000-4-2 Level 3 protection. Only after the system is properly "armored" against ESD strikes, I will implement conformal coating for shock/waterproofing and extra functionality.

Host MCU STM32F107 (possibly swap this one for a Cortex R-series MCU), which would of course provide:

  • UART to BQ75614
  • USB or UART to a host PC (to configure voltage balancing point, update firmware)
  • Audio alerts through piezo buzzer
  • CAN interface to CAN charger, CAN-enabled status display, and possibly a custom CAN-enabled controller
  • UART interface to a bluetooth module (to configure voltage balancing point)
  • SPI to IMU, SD card for verbose data logging, possibly even a DAC + amp for customizable audio alerts!
  • UART to optional GPS/GSM module. I will definitely implement it last, this is by far the most complex functionality.

john61ct said:
I would want as much adjustability in the various setpoints as possible, ideally supporting in the same unit both LFP and LTO as well as the 3.7-4.2 others.

Ability to disable balancing completely,

to use external contactor(s),

low and high temperature protection of course

fully sealed to IP specs, hardened against extreme shock & vibration, marine conditions

CAN control of chargers in failsafe mode, as with Elcon and others,

ideally ability to report logging over GPRS,

maybe a GPS tracking add-on

while your at it.

But most important, ability to shut everything down upon BMS failure

Sounds like a very comprehensive list of features! Fortunately the BQ75614 supports half of them in hardware:

  • No FETs, but support for external relay/contactor. (as well as open/close diagnostics for the relay)

  • Hardware comparators for over temp, under temp (both disable balancing + output), overvoltage and undervoltage (configurable to battery chemistry)

  • 5V disabled during emergency shutdown mode. (MCU and peripheral functions powered off)
your LISTs are invisible
 
MAXIMUM_AMPS said:
That's very common for a BMS to fail and become unable to trigger OVP. Overvoltage when charging is by far the most dangerous thing possible with a Li-Ion cell!
BMS should **not** control charging termination, just OVP to act as a failsafe backup for when (not if) the charger fails.

Or, **if** the charger / BMS is designed with deadman's switch* failsafe, then a completely independent OVP device needs to take that role.

_____
* Charger needs to continue receiving "safe to charge" CAN messages every few seconds.

Soon as they stop, charger shuts down.

See Elcon CANbus module specs, compatible with BMS control from, Emus, Orion, Elithion, EPS

 
john61ct said:
MAXIMUM_AMPS said:
That's very common for a BMS to fail and become unable to trigger OVP. Overvoltage when charging is by far the most dangerous thing possible with a Li-Ion cell!
BMS should **not** control charging termination, just OVP to act as a failsafe backup for when (not if) the charger fails.

Or, **if** the charger / BMS is designed with deadman's switch* failsafe, then a completely independent OVP device needs to take that role.

_____
* Charger needs to continue receiving "safe to charge" CAN messages every few seconds.

Soon as they stop, charger shuts down.

See Elcon CANbus module specs, compatible with BMS control from, Emus, Orion, Elithion, EPS

Is your BBCode disabled? the lists are showing for me, but I will edit the post.

By OVP, I mean the BMS OVP for each cell group... The most critical protection feature of a BMS, besides balancing of course. For example, in a 2-wire BMS, if any one cell group is above 4.2v, or 3.7v for LiFePo4, the protection IC cuts off the charger input, usually by turning off the CHG FETs group shown on the left here:

https://i.imgur.com/ZqFMnGf.png

Due to the body diodes of the FETs, they can only block in one direction, so you have 2 groups, one for charge and one for discharge hooked up in the configuration above.

Yes the charger will cut off automatically at 42v, 54.6v, etc. However, without the OVP detection for each cell group, it's possible that one cell group is higher than the others at the start of charging, the overall voltage looks good from the charger's side, but the one group is experiencing overvoltage and an explosion is soon to follow.

I do agree that the charger needs CAN communication so the BMS can verify that it's a trustworthy charger, and can communicate that it's safe to charge.
 
BMS is just a collection of functionality, no need to put everything into one point of failure.

Balancing for example does not need to be included in the protective hardware, and IMO should not.

In many use cases, a pack may only need rebalancing a few times in the first few years.

Even just checking for imbalance does not need to be "live" during the usage (discharge) half of the cycle, periodically is often fine, and once a week or so may be plenty.

Comparing to "how most BMS work" is IMO irrelevant they are nearly universally stupidly horrible.

As I stated, OVP at the cell/group level does not need to (IMO should not) be controlling the charging process.

Cell OVP can be there as a backup layer of protection.

Or a balancing charger can be used.

There are many design options, and a good BMS design should allow the user to choose the approach they think best.

Do not hard-code **your** opinion as to how the system should work into the design of your BMS.

As long as the cells remain well balanced, since there is no need to go to maximum SoC / voltage, the pack level voltage is just fine, just calibrate the stop point well below the weaker cells getting anywhere near max voltage.

Well worth the tiny sacrifice in range, maybe 2%, for simplicity, reliability thus increased safety.

The BMS is very often the direct **cause** of pack fires, specifically because the owner relies on it (too much) to halt charging.

If the BMS is in control of charging - fine, allow for that - but only with that failsafe design, **and** a backup layer of OVP protection then needs to be provided.

Much safer to get a **proper** charger - they are very reliably designed and built - let it do its job! and have the BMS act as protective failsafe only.




 
john61ct said:
BMS is just a collection of functionality, no need to put everything into one point of failure.

Balancing for example does not need to be included in the protective hardware, and IMO should not.

In many use cases, a pack may only need rebalancing a few times in the first few years.

Even just checking for imbalance does not need to be "live" during the usage (discharge) half of the cycle, periodically is often fine, and once a week or so may be plenty.

Comparing to "how most BMS work" is IMO irrelevant they are nearly universally stupidly horrible.

As I stated, OVP at the cell/group level does not need to (IMO should not) be controlling the charging process.

Cell OVP can be there as a backup layer of protection.

Or a balancing charger can be used.

There are many design options, and a good BMS design should allow the user to choose the approach they think best.

Do not hard-code **your** opinion as to how the system should work into the design of your BMS.

As long as the cells remain well balanced, since there is no need to go to maximum SoC / voltage, the pack level voltage is just fine, just calibrate the stop point well below the weaker cells getting anywhere near max voltage.

Well worth the tiny sacrifice in range, maybe 2%, for simplicity, reliability thus increased safety.

The BMS is very often the direct **cause** of pack fires, specifically because the owner relies on it (too much) to halt charging.

If the BMS is in control of charging - fine, allow for that - but only with that failsafe design, **and** a backup layer of OVP protection then needs to be provided.

Much safer to get a **proper** charger - they are very reliably designed and built - let it do its job! and have the BMS act as protective failsafe only.

BMS being universally stupid and horrible? Not at all. There's definitely good designs and bad ones...

Of course, the BMS is by no means the only possible cause of a battery fire, there's tons of RC LiPos going up in flames, and all those all rely on balance chargers. Balance chargers are nice for RC vehicles where it would only hinder performance for little gain, but:

Electric cars do not use balance chargers, they always use a BMS. Not one large EV uses balance chargers. They use a proven design from Linear, TI etc, and their engineers adapt it for their specific implementation. For example an electric car BMS using LTC3300s is going to be rock-solid reliable.

It has a ton of functionality and redundancy, even inlcudes "active" balancing, meaning it recovers charge from the higher charged cells and puts it into the lower charged cells. Check this out for details on how it works: https://www.analog.com/en/products/ltc3300-2.html

The BMS OVP for each cell group is massively important, chargers do fail, in a multitude of ways. Overcharging is a sure fire way to get a fire. The additional protection in the BMS adds an extra layer of idiot-proofing, for example... in case someone gets the bright idea to turn the dials in their charger to get a higher voltage.

As for the charger, I never suggested not using a proper charger, you NEED CC/CV charger with the proper current/voltage limits to charge Li-Ions. Anything else is flatout asking for a fire.
 
I did not say all. 99.99% being dangerous is not all.

And some of the BMS most frequently causing the biggest fires do sell for thousands, paying a lot of money does not necessarily get you the security you hope for.

There are hundreds of connections and components all which need to be correct, the IC/ MCU is just one element, and the right Design necessary but not sufficient.

Whether RC, ebikes, EVs or power banks, the principles of the cells and their chemistry are the same.

My point is exactly as you say, BMS as backup layer of protection. That means not controlling the chargers' normal cycling, relying on that for primary and a completely separate device for the failsafe.

In any case, stand by what I wrote, no point us just repeating our differences, other than this bit, I think most critical if you want your proposed design to differentiate itself:
There are many design options, and a good BMS design should allow the user to choose the approach they think best.

Do not hard-code **your** opinion as to how the system should work into the design of your BMS.
 
john61ct said:
I did not say all. 99.99% being dangerous is not all.

And some of the BMS most frequently causing the biggest fires do sell for thousands, paying a lot of money does not necessarily get you the security you hope for.

My point is exactly as you say, BMS as backup layer of protection. That means not controlling the chargers' normal cycling, relying on that for primary and a completely separate device for the failsafe.

Ah, I understand now.

Agreed, ultimately you can buy a $16 board, $100 board, a $500 board, not even connect it to anything yet, but cause irreparable damage to it due to ESD.

Fortunately with the proper design, the circuit will not appear to be protecting when it's only partially protecting, the biggest issue of cheap units with 1S chips.
 
MAXIMUM_AMPS said:
For extra peace of mind, a (grounded) ESD-mat is also recommended for electronic work. ESD mats like this linked below will allow the board (and you) to slowly, and safely discharge any static charge that can damage sensitive ICs. When your BMS arrives, being careful not to touch the bare board, dump it onto the mat, within seconds the accumulated static charge will be dissipated. Double check that your wrist strap is grounded and in good contact with your skin, and you're ready to safely work.

Unfortunately this is not followed by probably any of the people that handle the bare electronics before you get them (any type of electronics, from components to built up boards, etc.), when buying from most of the non-big-name (Mouser, Digikey, Farnell, etc.) suppliers. Quite possible that even the factories some of these cheap electronics assemblies are built in have no ESD-safe handling procedures, either.

This was a big problem for a while when I worked at Honeywell CFSG in the late 1980s thru early 1990s; we had lots of random wierd failures of all sorts of components, and after sending investigators to the various suppliers and manufacturers, found that many places did not use any kind of ESD-safe handling or storage methods. Some suppliers had to be replaced because they would not implement them, most did implement them and our pretesting and burn-in failure rates eventually went way way down.
 
Could you give an example of a proper way for a 2S or 3S bms to be built, and then have the ability to put multiples together and still have the same safety factor.

 
markz said:
Could you give an example of a proper way for a 2S or 3S bms to be built, and then have the ability to put multiples together and still have the same safety factor.

bms1.jpg

Of course, there's 2 ways to go about it.

The best way to build a modular system like that, is to use a chip that was designed to be "stackable". The chips will directly communicate to its above and below neighbors, so if one chip is dead/faulty, the entire output is shut off.

Daisy-chainable BMS chips are not very common though. The only options I can find are from TI, and there's only 4 of them, the minimum in each stack is 3.

http://www.ti.com/power-management/battery-management/protectors/products.html#p2192=Stackable%20(built-in%20interface)

Alternatively, use individually protected cells. This is more expensive and less efficient than the above method, but it is definitely safe. Essentially each cell has its own pair of FETs and 1S IC (how the DW01 is supposed to be used).

These 1S DW01 and similar ICs are made to go into phones and flashlights that will only ever have 1S connections. They're specifically made to interface to a single cell's N-channel FETs directly, not to PNPs in a daisy chain configuration.

The PNPs are "active low" devices, so when the output of the DW01 is high (no OVP or UVP triggered) the PNPs are allowing current to flow, turning the FETs at the bottom on. If there is an OVP or UVP, the DW01 pulls the base of the PNP low, blocking the current and turning off the FETs. The hazard lies that if one DW01 is damaged, the corresponding PNPs will not block the current, which will allow the cells to overcharge/undercharge.

By comparison the N-channel FETs are "active high", so if the DW01 is damaged, it works like a dead-man's switch. The FETs shut off, regardless if OVP or UVP conditions are present.
 
MAXIMUM_AMPS said:
Alternatively, use individually protected cells. This is more expensive and less efficient than the above method, but it is definitely safe. Essentially each cell has its own pair of FETs and 1S IC (how the DW01 is supposed to be used)
A point in favour of using a single string of cells sized each with the Ah required for the whole pack.

Not sure why 2S or 3S units would be particularly advantageous?

I reckon first decide on a baseline voltage, IMO 52V nominal is a good standard,

break that down to get two sizes under 10S each to combine to get there, maintainable with balancing chargers,

then look at the increments to conveniently get from there to 72V, just under 90V etc for flexibility.

Non-propulsion solar / mobile powerpaks should be 12V (if available for your selected chemistry) or its increments 24V / 48V etc


 
I agree, not much point in going modular on an ebike BMS. A single 10-14S BMS is ideal for most ebikes.

john61ct said:
Not sure why 2S or 3S units would be particularly advantageous?

The advantages of using a >1S system I see:

1. Less voltage drop than a protection circuit with separate shunt resistors + 2 FETs in series on each cell.

For example, you'll never see a protected 18650 that can come close to a unprotected 25R or VT6, because of the resistance of the shunt and protection FETs. The daisy chain configuration only has a single shunt, a single set of FETs at the bottom of the stack. In theory you could create a 1S protection circuit that can match the performance of this but it'd be very expensive and impractical for high currents. Not to mention the losses of the shunt could be mitigated by using a single hall-effect current sensor with the daisy-chain configuration.

2. Error communication, and adjustment of the balance/protection voltages through a host MCU. Granted this feature is not implemented in TI's small 3-6S chips, but Linear/Analog implement it in their larger grid-storage/electric car BMS designs.
 
Back
Top