I chair a group of specialists (electrical engineers, safety analysts, others) mandated by the German electrical-engineering standardisation organisation DKE to undertake a risk analysis of the process of recharging electric road vehicles.
We have been working now for close on one and a half years, on conductive charging, and have a document under internal review purporting to offer a high-level risk analysis of recharging using so-called “Mode 3”, in which a charging station permanently attached to the ground or to a structure is used. This mode offers charging-service providers and equipment providers the widest scope to ensure safety of the charging process, because anything considered necessary to assure an appropriate degree of safety (“safety functions” in the lingo of IEC 61508) can be built in to the box.
Other modes are Mode 2, in which a “box” with appropriate circuitry and safety mechanisms is built into the cable used for charging a vehicle, while the cable itself plugs straight in to building circuitry; and Mode 1, in which a charging cable is attached at one end to the vehicle and at the other to building circuitry, without any intermediating electrics or electronics.
The Renault Twizy car has a cable in front allowing Mode 1 charging (also Mode 3) through a normal “SchuKo” plug (“SchuKo” is short for “Schutz-Kontakt”, which means “contact-protected”, the usual kind of household plug through which current cannot flow until the person handling the plug is physically separated from live parts).
Inductive charging is somewhat further in the future.
The method we are using is a mix of OHA and HazOp. The OHA part is to consider the entire connected chain as a system, consisting of objects (subsystems)
- grid supply
- fixed charging column with connection to grid
- charging column/charging cable interface (plugset)
- charging cable
- charging cable/ vehicle interface
- vehicle
and to define the properties of and relations between these objects which we consider relevant to safety properties. We use the HazOp guideword process to extend the set of properties to consider and to guide us to possible hazard situations. We associated each hazard specifically with one of the subsystems involved in it.
We then used event trees to estimate the severity (worst-possible outcome) of each hazard. We were concerned with outcomes “electric shock” (to a person) and “fire”. We consider electric shock to a person to be at worst immediately deadly, and fire less so because a person has a certain possibility in general to extricate himherself from a fire situation. We evaluated each hazard as to whether it was unforeseeable, theoretically possible, or plausible.
There are a number of memes concerning this task which I think would like to introduce into discussion amongst safety specialists. I would like to ask for any of your thoughts on the following memes. I would like to share some thoughts transparently with colleagues, and wish to give appropriate credit for contributions, so I would be grateful if you would indicate whether your name, with or without your affiliation, may be associated with your view or whether you wish your comment to be anonymous. My email address is ladkin”AT”rvs”DOT”uni-bielefeld”DOT”de.
Meme 1. Electric vehicles are no different from other devices, for example lawnmowers, in the business of being attached to the grid. The same issues arise with electric vehicles as with lawnmowers: no more nor less.
PBL: I strongly don’t agree with this assertion. Electric road vehicles store large amounts of power in batteries; lawn mowers don’t. This power could theoretically, through malfunction, be discharged into the circuit to which it is connected: lawnmowers cannot do this. This power could also intentionally be available to power building circuits; lawn mowers cannot offer this.
Meme 2. Any risks resulting in electric shock or fire resulting from charging an electric vehicle on a household or building circuit are already known, and have been for decades.
PBL: I have not seen a proof of this assertion. Surely, to prove this assertion it is necessary to perform a risk analysis? Before ours, to my knowledge, one has not been performed.
Meme 3. Any risks resulting in electric shock or fire resulting from charging an electric vehicle on a household or building circuit are fully covered by an adequate set of electrical standards.
PBL: I have not seen a proof of this assertion. Surely, to prove this assertion it is necessary to perform a risk analysis and to see explicitly that all purported risks are already covered in the existing standards?
Meme 4. The term “risk analysis” gives lay people who might buy them the impression that there are risks associated with electric vehicles and so the term should be avoided at all costs.
PBL: There are obviously risks associated with any road vehicles including electric ones. The term “risk analysis” is a technical term denoting a specific kind of analysis which is required by IEC Safety Guide 51 to be required to be performed in any standard which concerns safety of equipment. I do not agree with avoiding precise, universal technical terms because they might in some way “scare” lay people. I suggest, instead, explaining what the technical term means and that such analysis is part of defined best-practice.
Meme 5. Any risks associated with the electric vehicle are covered by the requirements of ISO 26262 (governing the functional safety of road vehicle E/E/PE systems). Any risks associated with the charging system are covered by the requirements of IEC 61508 (governing functional safety of E/E/PE systems). Therefore any risks of charging such vehicles are fully covered.
PBL: There are two mistakes here.
First is to argue from the Premisses that (a) the risks involving in using System A are known, and (b) the risks involved in using System B are known, to the Conclusion (c) that the risks in using A-composed-with-B are known. Counterexamples abound.
Second is to think that IEC 61508 (indeed ISO 26262) works like, say, an electrical-safety standard: that if you do this-and-this everything will be alright. IEC 61508 specifies how care is to be taken, and what analyses are to be done, in designing and operating safety-related E/E/PE kit. It does not, and cannot, guarantee any specific outcome (such as freedom from accidents); whereas standards in electrical safety are intended to guarantee freedom from electric shock.
Meme 6: There are no risks associated with maintaining and operating electric road vehicles that are not also associated with maintaining and operating gasoline-powered road vehicles.
PBL. This is obviously not true.
For example. the possibility of a dangerous electric shock from an electric road vehicle is obviously different from the possibiity of a dangerous electric shock from a gasoline-powered road vehicle.
A second example: gasoline-powered cars are refueled on separate spaces set aside for this very purpose from the road, called gas stations or petrol stations, and behavior on or around them is controlled. Dangerous accidents with speeding vehicles are unlikely. Whereas “refueling” electric road vehicles is proposed while the vehicle is parked on the public road – indeed we have two such recharging points in Bielefeld. Vehicles parked on the public road are more susceptible to involvement in higher-speed collisions with their ensuing damage.
A third example: damaged electric road vehicles have been known to burst into flames many days or weeks later. Luckily, known instances have been test cars at storage sites.
A fourth example: batteries in some electric road vehicles are susceptible to thermal runaway. Much smaller batteries in most gasoline-powered vehicles are not.
Meme 7: The risks associated with maintaining and operating electric road vehicles are equivalent to those associated with maintaining and operating gasoline-powered road vehicles.
PBL: The word “equivalent” here has an unclear meaning. Suppose it is to be given a precise meaning (say, chances of death or serious injury). Then surely a risk analysis, of which a risk analysis of recharging electric road vehicles is part, must be performed in order to be able to draw such a conclusion.
Meme 8: A risk analysis without listing the possible causes of the hazards is not helpful.
PBL: There may be many and varied causes of a hazard. For example, damaged electronics which lead to a later disadvantageous effect on behavior. How could electronics be damaged in such a way? There are quite a lot of examples in the literature. Maybe Kevin Driscoll’s slide show Murphy Was An Optimist, Version 19 of which is at http://www.rvs.uni-bielefeld.de/publications/DriscollMurphyv19.pdf , is a good place to start. What one really wants to do as the result of a risk analysis is to reduce the risk. One way of doing that may well be mitigated the hazard by hindering the most deleterious consequences given that it has occurred. Given the variety of damage that might be caused to electronics, maybe in ways we haven’t thought of yet, indeed, given that it is an uncompleted major project of one of the leading researchers in the field, listing all the specific causes and the damage that ensues seems to me less helpful for the task of risk-assessing recharging operations than abstracting and considering what might result from any situation in which there is “damaged electronics whose behavior is different from that required and expected”.
Meme 9: These issues are concerned with electrical safety. Functional safety has no role to play.
PBL: As these technical terms are defined, electrical safety is part of functional safety for E/E/PE equipment.
Acknowledgement: Thank you to Bernd Sieker for commentary and critique.