Table 16 Summarized unsafe control actions list
From: Large-scale energy storage system: safety and risk assessment
Control action | Source | Destination | Unsafe control actions | UCA type |
|---|---|---|---|---|
Alert: Smoke/fire | Smoke detection | BMS | Not provided: Operators unaware and unable to take action. Vented gas can build up to flammable mixture | Not provided |
Smoke detection | BMS | Incorrect (esp. Undermeasure) of concentration value can mislead operator decision | Provided | |
Smoke detection | BMS | Late response due to late alert | Provided too early or late | |
Temperature | Modules/ cells | BMS | Loss of real‐time monitoring data hazardous situation may escalate unmitigated: overheating and thermal runaway propagation | Not provided |
Modules/cells | BMS | Inaccurate temperature measurements lead to misinterpretation of hazard status and wrong decision | Provided | |
Modules/cells | BMS | Wrongly timestamped data leads operators and ERT to misinterpret hazard status | Provided | |
Activate cooling | BMS | HVAC (cooling) | Command not given: thermal runaway propagation to adjacent cells | Provided |
BMS | HVAC (cooling) | Stopped too soon may allow heat propagation to continue | Stopped too soon or late | |
BMS | HVAC (cooling) | Introducing fresh cold air may cause explosion if there is an explosive concentration of gas mixture and hot | Provided | |
Surface to auto‐ignite one of the gas mixture constituents | ||||
Activate fire suppression | BMS | Active fire suppression | Heat and fire spread unmitigated to adjacent modules/racks | Not provided |
BMS | Active fire suppression | In case of partial area fire suppression system activating fire suppression at incorrect area is | Provided | |
Equivalent to not activating, fire and heat spread | ||||
Unmitigated | ||||
BMS | Active fire suppression | Activating late is equivalent to not activating, fire and heat spread unmitigated | Provided too early or late | |
BMS | Active fire | Stopped too soon, residual heat may cause re‐ignition | Stopped too | |
Suppression | soon or late | |||
BMS | Active fire | Incorrect clean agent may create pressurized | Provided | |
Suppression | combustible mixture | |||
Activate | BMS | Exhaust/ | Gas build‐up reaches combustible/explosive | Not provided |
Emergency Ventilation | Deflagration ventilation | concentration | ||
BMS | Exhaust/deflagration | Insufficient ventilation rate may be ineffective in reducing concentration of accumulated gas mixture to | Provided | |
Ventilation | Safe levels | |||
BMS | Exhaust/deflagration Ventilation | Stopped too soon gas concentration and pressure build up in BESS room may continue if cell is still undergoing thermal runaway | Stopped too soon or late | |
Fire Suppression | Emergency response Team | Modules/cells | Fire spread unmitigated | Not provided |
(Manual) | ||||
Open access door/Panel for fire | Emergency response team | Modules/ cells | Introduces fresh air (oxygen) to combustible gas mixture. In presence of burning flame in BESS roommay cause instant explosion | Provided |
Suppression | ||||
Emergency response team | Modules/cells | Fire spread unmitigated | Not provided | |
Emergency response team | Modules/ cells | Providing late: fire spread unmitigated | Provided too early or late | |
Continued | Emergency | Modules/ | Risk of residual heat causing thermal runaway and re‐ | Stopped too |
Cooling and monitoring | Response team | Cells | Ignition | Soon or late |
Emergency response | Modules/cells | Providing late: increased likelihood of thermal runaway and re‐ignition | Provided too early or late | |
Team | ||||
Emergency response team | Modules/ cells | Stopped too soon: increased likelihood of thermal runaway and re‐ignition | Stopped too soon or late | |
Emergency | Modules/ | Insufficient cooling and alertness increases likelihood | Provided | |
Response team | Cells | of thermal runaway and re‐ignition | ||
Emergency shutdown | BMS | Modules/cells | Affected battery modules continue charge/discharge operation increasing likelihood of thermal runaway escalation | Not provided |
BMS | Modules/cells | Providing late equivalent to not providing increasing likelihood of thermal runaway escalation | Provided too early or late | |
Site acceptance | Dept of Standards | LSSPV operator/ | Inaccurate testing requirements for various types of BESS technologies | Provided |
Test requirements | Owner | |||
Safety function | Dept of Standards | Equipment manufacturer | Safety functions built into BESS with wrong parameters | Provided |
Requirements | ||||
Emergency response training | Emergency response team | Site operator/technicians | Inadequate information hinders operators from correct early mitigation action in hazard scenario delay causes hazard escalation | Provided |
Emergency response | Site operator/ | Operators take wrong action in hazard release event leading to hazard escalation | Not provided | |
Team | Technicians | |||