As my projects move towards everyday real world usage, I have become more and more concerned about safety issues. With projects that have the potential of going boom, causing flooding, or shocking the ish out of someone, is importance of having fail safe designs in these safety critical situations have become an overriding concern. I hope that I am using the industry terminology correctly: Safety Critical: systems where fault conditions can endanger life and property. Fail Safe: Systems that ensure that in fault conditions, the system is placed into a state where life and property are no longer in danger. The current project on the board is a battery charger for a 48V 47 Ahr Chevy Volt Lithium Battery module. For longevity my plan is to charge cells up to 4.1V, which is 49.2V battery nominal. Also both because of simplicity and parts availability, I plan to use a capacitive charging circuit. One example of what the developer describes as a "relatively safe" circuit is described here: https://www.youtube.com/watch?v=3DphK_nC4E_jA with a schematic here: http://i1063.photobucket.com/albums/t507/lookingfordbn/SNV32249_zps217163f0= ..jpg Another example that uses a coil as a reactive element is the Bonn charger: http://www.evalbum.com/tech/bonn_charger.html These two are the best examples that I can find with at least some minimal safety features added. But in both cases I still do no feel that it's enough for my application. The two requirements I'd like to design into my circuit are now: 1. Charging power is removed in all cases where the terminal voltage of the battery reaches 50 volts. 2. Charging power must only be applied when the charger is confirmed to be connected to the battery. The third reqirement I would eventually add is: 3. Charging power is removed in all cases where the terminal voltage of any single cell of the battery reaches 4.2 volts. So in a lot of ways, my goal is to create a fail safe combination=20 of an Electric Vehicle Supply Equipment (EVSE), charging circuit, and BMS. There are innumerable examples of each of these are widely available. However, what seems to be missing is the design methodology necesary to ensure fail safe operation. Take requirement #1 for example. Being the PICLIST, the obvious starting point is to have a microcontroller that measures the terminal voltage of the battery and turns off power to the charging circuit when the nominal 49.2 volt terminal voltage is reached. But what is the failsafe if the micro wanders in the weeds? Or a resistor in the voltage divider fails? Or the software is buggy? In isolation there's no way for a single microcontroller to make any types of guarantees for requirement #1. So would for example a separate fuse and crowbar circuit that is triggered = at 50V be sufficient? In this case no matter what happens with the microcontroller this circuit acts as a fail safe because it'll blow the fuse to the battery if the terminal voltage is exceeded. Would this be enough? Same with the EVSE, which is designed to only engage power when a proper connection has been established. The J1772 pilot signal is a study in simplicity and elegance. With a single pilot line and little more than a handful of diodes, resistors, and switches, it is possible to virtually guarantee that the EVSE is properly connected to the target before power is applied. And with the live mains circuit I'm planning to use, this connection is essential for safety critical operation. So I'm just looking for some thoughts on reasonably reliable design techniques to back up a microcontroller based system so that even if the primary circuit goes south, the safety requirements are still met. BAJ --=20 Byron A. Jeff Associate Professor: Department of Computer Science and Information Technol= ogy College of Information and Mathematical Sciences Clayton State University http://faculty.clayton.edu/bjeff --=20 http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .