← Back to: Battery Charging / Gauging / Protection / BMS
Introduction & Scope: Why a Secondary, Independent Protection Path
Many battery-powered systems already include a main charger IC, a main BMS AFE, or even a primary pack protector. However, these blocks often live in the same control domain and can fail together. A secondary protector is added as an independent, always-available safety layer that does independent detection, independent decision, and independent actuation, typically to drive high-energy actions such as fuse blowing, pyro triggering, or a heavy high-side FET.
The goal is not to make protection more precise, but to make it more certain: even when the main path is busy, misconfigured, or locked by the host, the secondary path can still disconnect the battery from a dangerous charger or environment.
Controller not under your control
Chargers supplied by third parties or swapped by end users may overshoot or stay on longer than expected. A local, independent path must recheck OV/thermal.
BMS busy / stalled / black-box
When the main AFE is busy (sampling, balancing, or communicating), an OV or overtemperature can be detected too late. Secondary runs in parallel.
High-cost actions must be certain
Fuse or pyro are one-way / high-energy actions. They must not depend on a single MCU or software stack to fire.
In scope
- Independent OV / thermal sensing
- Independent decision path (no MCU dependency)
- High-energy actuation (fuse / pyro / heavy FET)
- Why labs / automotive customers demand it
Out of scope (linked siblings)
- CC/CV, JEITA, fast charging logic
- SOC / SOH gauging and fusion
- Generic eFuse / pack switch selection
Threat / Fault Scenarios Modeling – What this secondary path is really for
A secondary protector is not meant to duplicate what the main BMS is already doing. It is meant to intercept a small but critical set of faults where the main system cannot see, does not see in time, or is not trusted to act. These faults mostly fall into three baskets: voltage-related, thermal-related, and control/logic-related.
1) Voltage-related faults
Charger overshoot, wrong adapter, cell-level overvoltage or wiring that fakes a higher pack voltage.
Main BMS: can often see it, but may be too late if ADC is busy.
2) Thermal faults
FET self-heating, hot enclosure, or a single cell running hotter than others – hard to catch if the main path aggregates temps.
Secondary: can trip on local hotspots only.
3) Control / logic faults
MCU hang, I²C/SPI bus stuck, AFE in busy state. Data may look “valid” but no one is actually watching it.
→ reason we insist on a hardware OV path.
Intervention timeline (concept)
- t0 – Fault appears: charger pushes above allowed pack/cell voltage, or a hotspot forms.
- t1 – Main path tries to detect: but may be busy, masked, or not synchronized with charger.
- t2 – Secondary thresholds reached: independent OV or thermal voting asserts.
- t3 – Actuation: fuse / pyro / high-side FET is triggered.
- t4 – Reporting: if the main system is still alive, it receives the trip reason and logs it.
The key takeaway is that control faults are the most silent ones. They can keep reporting old but valid-looking data, so relying on the main MCU or shared ADC to trigger a high-energy action is risky. This is why, in the next chapters, the secondary OV path will be designed as a hardware comparator-based path and the thermal part will be a local multi-sensor voting block.
Independent OV Path Architecture — How to build an overvoltage line that does not depend on the main BMS
The core idea of a secondary protector is to keep one overvoltage (OV) channel alive even when the main charger, the main BMS AFE, or the shared ADC is unavailable. This requires a fully separated sensing and actuation chain: its own reference, its own divider, its own comparator, optionally its own latch, and finally a trip output that can drive the fuse/pyro/high-side FET without software assistance.
In practice, this means the OV path must not reuse the sampled voltage values from the main AFE, and it must not wait for the main MCU to run a protection routine. It watches the pack by itself and trips by itself.
What we implement
- Independent reference (bandgap / internal Vref)
- Divider matched to 2–6S pack voltage
- Comparator with defined hysteresis
- Latched trip output to the actuator stage
What we intentionally avoid
- No reusing main AFE ADC codes
- No waiting for the main MCU interrupt
- No dependence on charger 5 V rail
- No temperature-based OV derating here
For 2–6S packs, a pack-level OV is often enough: you scale the pack voltage to the comparator range and trip when the charger pushes above the allowed window. This is the fastest and simplest option for small-batch BMS that must pass a lab test quickly.
However, cell-level anomalies may not lift the whole pack voltage. In that case, you can bring out the main AFE’s cell-OV signal as an auxiliary input to the secondary latch: if the AFE sees a bad cell and the pack-level comparator is also close to trip, the secondary path can decide to blow. This way you do not fully depend on the AFE, but you also do not ignore the per-cell information.
Many automotive-oriented devices expose a dedicated OV comparator output pin exactly for this use-case — it is meant to go directly to a fuse/pyro driver. If such a pin is not available in the part you can buy, use an extra automotive-grade window comparator and document the trip threshold in the BOM so that purchasing cannot silently replace it with “a charger IC with some protection”.
Thermal Voting Strategy — How to confirm overheating before blowing a fuse or pyro
Secondary protection actions are expensive: once a fuse is blown or a pyro is triggered, the pack is offline and likely needs service. This is why a single NTC or a single “hot spot” must not be allowed to trip the whole pack. A better approach is to collect temperature from multiple locations, normalize them to real temperature, and run a simple voting logic before releasing the actuation pulse.
Pack ambient NTC
Represents cabinet / enclosure / vehicle cabin heat. Used to derate charging in hot surroundings.
Power FET NTC
Captures local switching / conduction losses. Often the fastest-rising sensor.
Cell / module shell NTC
Reflects what the cell itself experiences. Good for detecting unbalanced or aging cells.
A practical scheme is: any single sensor ≥ Thard (85°C) → fire; or any two sensors ≥ Tsoft (60°C) → fire. This gives you two types of protection: localized fast overheating, and slower, widely-distributed heating. On top of that, monitoring the temperature rise rate (ΔT/Δt) helps to catch runaways even before reaching the absolute thresholds.
Because NTCs from different vendors have slightly different R–T curves, the voting block should compare normalized temperatures, not raw resistor values. That is, first map each NTC to temperature (via table or segmented linearization), then vote. If this is not possible due to BOM or MCU limits, derate the thresholds (for example, shift Tsoft down by 3–5°C) to absorb curve mismatches.
Finally, document in BOM: “Thermal voting must precede fuse/pyro trigger; do not replace with single-NTC overtemp.” This prevents small-batch procurement from back-substituting your safety logic with a cheaper, single-thermistor solution.
Fuse / Pyro / High-Side FET Actuation – How the secondary protection actually disconnects
Chapters 3 and 4 generated trip signals (OV_TRIP, THERMAL_TRIP). This chapter explains how to convert those logic-level trips into real, energy-carrying actions that can disconnect the battery or the charger. In practice, secondary protection uses one of three actuator families: a one-time fuse, a pyrotechnic/squib element, or a recoverable high-side FET path. Each of them has different current, pulse, and confirmation requirements.
One-time fuse
Needs current ≥ fuse rating and time ≥ tfuse. Best for low-cost packs where non-recoverable action is acceptable.
Action confirmation by voltage drop or current sensing.
Pyro / squib
Needs shaped pulse energy, sometimes a short constant-current or constant-voltage interval. Typical in automotive and high-safety designs.
Must verify pulse for each brand or replacement.
High-side FET
Recoverable, good for small-batch or when pyros are not available. Must consider RDS(on), thermal rise, and gate-drive requirements.
Needs a real driver, not a GPIO.
Actuation confirmation
After driving the actuator, the system must verify that disconnection actually happened.
- Measure pack voltage drop after the pulse.
- Sense current through the actuation path (especially for fuses).
- Read back driver status when using automotive pyro/squib drivers.
BOM Remark: If the selected protector / BMS IC exposes an ACT/FUSE/OUT pin with ≤50 mA capability, add an automotive-grade high-side switch (VBAT-rated, ≥1 A pulse) as an external actuation stage. Do not replace this stage with a pure MCU GPIO.
Actuation Power, Pulse Shaping & Energy Buffer – Where the pulse comes from
In secondary protection, the real challenge is often not “should we trip” but “can we still supply the energy to trip” because the actuation may happen when the pack voltage is already sagging, the charger is misbehaving, or a hot spot is dropping the rail. This chapter secures the pulse energy in advance and shapes it to the form required by the fuse or pyro device.
1) Pre-charged buffer cap
Dedicated capacitor (or supercap) charged from the pack at a controlled rate. Reserved only for the actuation pulse.
2) Steal from main rail, then lock
Energy comes from 12 V / 5 V system rail but is latched or isolated just before protection, so the pulse is not starved.
3) Dedicated pyro / squib driver IC
Integrated charge pump, energy check, and diagnostics, useful when cross-brand pyro replacement is expected.
What to calculate for each design
At minimum, document these numbers:
- Cbuf – dedicated actuation capacitor
- ESR – must be low enough to keep Ipk
- Vmin – lowest acceptable voltage during pulse
- Ipk – peak current the actuator needs
- tpulse – pulse width needed to melt / fire
Use the stored-energy expression to size the capacitor:
E = 1/2 · C · (V² − Vmin²) → C ≥ 2·Ereq / (V² − Vmin²)
Interface to Charger / Main BMS – informing the upper system after a secondary trip
Once the secondary protector has acted (OV trip, thermal voting trip, or combined logic), the system must do three things at the same time: 1) cut the charging/discharging path physically, 2) tell the main BMS that this trip did not come from its own logic, and 3) stop the charger from pushing the bus higher. This section defines those interfaces so that the upper controller does not keep retrying balance/charge operations after the pack has been hard-disconnected.
1) Physical cut
Drive charger EN / Allow-to-Charge / high-side FET so the path is open even if the main BMS is still active.
2) Fault reporting
Open-drain FAULT to the main MCU/AFE or a read-only SMBus/PMBus register bit marked as SEC_TRIP.
3) Stop the charger
Pull down the charger’s enable so it does not continue to push voltage into an already disconnected pack.
In real packs, the main BMS may still be trying to balance cells or to keep the charger in CV mode when the secondary channel has already opened the path. This will show up as a sequence of timeouts. Add a software rule: if SEC_TRIP=1, ignore balance/charge timeouts until manually cleared.
BOM remark: When sourcing from different vendors, the FAULT polarity may be inverted (active-high). Write “active-low fault acceptable; invert on board if active-high device is used.”
Small-Batch Procurement & Cross-Brand Alternatives – how to source without breaking the design
For small-batch and prototype packs, the real risk is not in the schematic but in procurement: the automotive-grade device you picked for the secondary channel goes out of stock, and purchasing tries to merge its function back into the main charger IC. This section fixes the function first, then maps it to seven major vendors with real part numbers.
Core 1: Independent OV
Use a monitor that can trip without the main ADC.
Core 2: ≥2x temperature
For thermal voting (pack / FET / shell).
Core 3: Actuator drive
Able to pull current or to drive an external HS switch.
Core 4: Fault out
Open-drain / status register to tell main BMS.
BOM remarks (lock these for purchasing)
- Secondary protector must NOT be merged into main charger IC.
- If device lacks dedicated OV comparator output, add 1pc qualified window comparator.
- If actuator current < required, add automotive high-side switch (VBAT-rated, ≥1 A pulse).
- Industrial-grade allowed for secondary trip circuit; de-rate thermal thresholds by 5–10°C.
- When package changes (SOIC ↔ QFN), use small adapter board or split driver out of main IC.
For NXP / Renesas / onsemi families, re-verify the pulse energy and the fault polarity whenever a new squib/pyro or smart FET is used, because many of them have inverted FAULT or different “OK-to-fire” diagnostics.
Safety / Automotive / Fail-Safe Considerations – the non-negotiables
A secondary protector that can trip but cannot guarantee a safe final state is useless in automotive and lab-cert environments. This chapter hardens the design so that a single-point failure (one NTC open, ADC stuck, MCU bus locked) will not leave the pack charging unsupervised. We do it by duplicating the sensing domain, confirming the actuation domain, and by defining what the system must report after an irreversible action such as fuse or pyro firing.
Dual sensing
At least 2x temp (pack + FET) and 1x hardware OV path that does not depend on the main ADC.
Actuation confirmation
After firing, detect voltage drop / current zero / driver-OK so we know the pack is really isolated.
Fail-safe state
Fuse → irrecoverable → report “service required”; FET → latch until host clears, no bouncing.
PCB segregation
Pulse lines short & wide; sensing lines clean & referenced; do not mix with charger-noisy grounds.
Automotive & layout notes
- Design for -40°C to +125°C so cold-crank conditions can still fire the pyro or drive the high-side FET.
- Pre-charge actuation caps to decouple from supply dips during crank or charger brownouts.
- Keep actuation pulse path short and wide; keep OV and NTC lines away from switching charger ground return.
- Irreversible actions (fuse, pyro) must raise “service required” to the host.
Validation & Test Playbook – proving the secondary path really pulls
This playbook turns the design into repeatable tests for labs, small factories, and external EMS partners. We split validation into four groups—OV trigger, thermal voting, actuation energy, and reporting—then define what must be recorded so that purchasing can still compare parts when you swap vendors or packages.
1) OV trigger test
Ramp VIN, log Vtrip, log Δt to actuation. Repeat at low temp.
2) Thermal voting test
Heat 1 NTC → expect no trip; heat 2 NTCs → expect trip.
3) Actuation energy test
At lowest pack voltage, check Ipk, tpulse, Vdrop.
4) Reporting/integration
After trip, main BMS and charger must both see “secondary trip”.
Record for each test
Use the same fields for every vendor/device so component substitutions stay safe:
- Test ID, condition (VIN, temperature, load)
- Vtrip / Ttrip
- Δt (detection → actuation)
- Iact / tpulse / Vdrop
- Fault / status code reported to main BMS
- BOM remark: “these values must be re-verified when cross-branding actuator or monitor.”
Put the values in the BOM, so purchasing can re-check when they pick TI → ST → onsemi → Microchip for the same secondary function.
Application Examples – three real placements for secondary protection
Below are three scenarios where a secondary, hardware-level protection path is not optional but required by the system context: (1) automotive 12 V / 48 V modules using a black-box main BMS, (2) rack-based ESS modules that must self-isolate and report, and (3) industrial/medical chargers where the external charger cannot be trusted for OV. Each example includes the typical IC choices from the seven brands and the common procurement traps to lock in BOM remarks.
1) Automotive 12V / 48V module (black-box BMS)
Add an independent comparator + thermal voting + pyro/FET so that cold-crank and supplier firmware issues cannot stop the trip.
Use: TI BQ77216 + BQ76200 / ST VNF1048F / NXP MC33797 / onsemi NCV8460A / Microchip MIC5019 / Melexis MLX90614.
Procurement trap: do not buy “diagnostic-only” HS drivers for a path that must actually fire.
2) Rack ESS module (multi-parallel)
A single hot or over-voltage module must self-isolate from the DC bus and tell the rack controller what happened.
Use: TI BQ77216 / TPS2663x, ST VN5E010AH, Renesas RAA271082, Microchip MIC5019, Melexis MLX91208.
Procurement trap: fuse/current ratings must include backfeed from the DC bus, not just the module itself.
3) Industrial / medical charger base
Because the charger can be replaced by an unknown model, the pack must distrust the charger and add a hard OV + FAULT to MCU.
Use: TI BQ77216 + TPS1H100-Q1, ST VNQ5E050AK-E, NXP MC33797, onsemi NCV84160, Microchip MIC5019, Melexis MLX90614.
Procurement trap: write “Secondary protector must NOT be merged into primary charger IC.”
Request a Quote
Frequently Asked Questions – Secondary Protector / Fuse Trigger
If the main charger already has OV protection, why add an independent hardware OV?
Because the charger and the main BMS may not share the same trust domain. If the charger is replaced, or the BMS bus is locked, the secondary OV can still trip and drive the actuator.
Can I trigger a pyro directly from a fuel-gauge IC’s alert pin?
Usually no. Fuel-gauge alerts are mA-level. Use a dedicated automotive driver (TI BQ76200, ST VNF1048F, onsemi NCV8460A) to amplify the pulse and confirm the actuation.
How many NTCs are enough for thermal voting in a 4S pack?
Minimum 2 (pack ambient + FET); recommended 3 (add shell/bus using Melexis thermal). Then use 2-out-of-3 or “1 hard + 2 soft” strategy to avoid single-sensor false trips.
What if the actuator pulse is too weak at low battery voltage?
Pre-charge a buffer capacitor dedicated to the pyro/squib, or move to a dedicated pyro driver (NXP MC33797). Record minimum Vpack and pulse energy in the BOM so purchasing can recheck after substitutions.
Can I reuse the main BMS FAULT line for the secondary trip?
Yes, but add a source tag such as SEC_TRIP, so the BMS knows the trip did not come from its own logic. This avoids endless retry/balance attempts.
Is an automotive-grade comparator mandatory for the independent OV path?
For automotive and official lab tests: yes. For industrial and medical small batches you can use industrial-grade but de-rate OV thresholds by 5–10 °C and document this in the BOM.
How to write BOM remarks so purchasing won’t buy a “charger-with-protection” instead?
Add a line: “Secondary protector must remain autonomous and must not be merged into primary charger IC; device must expose FAULT/ACT pin.” This blocks substitutions that remove the independent trip path.
Can I mix TI charger and ST secondary protector in the same pack?
Yes. Just align FAULT polarity (active-low vs active-high) and charger EN polarity. If they differ, invert on board and write the inversion requirement in the BOM.
How to log a secondary trip so field service can see it?
Latch the trip in MCU EEPROM or an SMBus/PMBus read-only register and include the actuation type (fuse/pyro/FET). Service can then tell it was a safety action, not a power glitch.
Can the secondary protector auto-recover instead of blowing a fuse?
Yes, with a high-side FET or smart switch, but latch the state until the host clears it. Do not allow rapid on/off oscillation after an over-voltage or thermal trip.
What is the test order to prove the secondary path to the customer?
Follow the 4-step playbook: 1) OV trigger, 2) thermal voting, 3) actuation at lowest Vpack, 4) reporting to BMS/charger. Record Vtrip, Ttrip, Δt, Iact, Vdrop, fault code.
How to pick between fuse vs pyro for small-batch projects?
Fuse: simplest, cheap, good for ESS/industrial, but not recoverable. Pyro or FET: better for automotive and 48 V where the action must be unmistakable; verify pulse energy for each brand.
