Case study

Thermal Runaway and Cooling Failure Case Study

Case study of a thermal runaway and cooling failure in an electronics and battery-adjacent system, covering heat generation, cooling degradation, sensor evidence, derating, protection, failure modes, and validation lessons.

Branch: Mechanical Engineering
Content: Case study
Updated: Jun 20, 2026
Revision: v1.0.0 · reviewed

This case study follows a realistic cooling failure in a compact power-electronics assembly installed near a battery energy storage subsystem. The event is not tied to a specific manufacturer or incident. It is useful because the failure chain combines heat generation, degraded airflow, sensor placement, derating logic, thermal interface assumptions, and protection timing.

The case shows why thermal runaway and cooling failure should be treated as system problems. A component can overheat because heat generation rises, cooling capacity falls, controls respond too slowly, sensors observe the wrong node, or operators continue operation after margin is gone. The dangerous condition is not only high temperature; it is uncontrolled positive feedback between heat, resistance, losses, and degraded cooling.

Case Summary

Item	Engineering relevance
System	Enclosed power-electronics controller supporting a battery-adjacent auxiliary system.
Normal function	Convert and control electrical power while rejecting heat through a forced-air heat sink.
Failure trigger	Progressive filter blockage and fan-speed degradation.
Hidden weakness	Temperature sensor measured enclosure air, not the limiting semiconductor junction path.
Escalation	Higher junction temperature increased losses and accelerated thermal rise.
Consequence	Protective shutdown occurred late, after solder-joint and interface damage risk increased.
Main lesson	Thermal protection must observe the controlling heat path, not only the convenient temperature.

The central engineering question is:

Why did a system with a fan, temperature sensor, and shutdown threshold still reach a damaging thermal state?

The answer is that the protection architecture did not match the failure mode.

Initial Design Assumption

The design review assumed that the power module dissipated $3.2\ \text{kW}$ during worst continuous operation. Heat left the module through a base plate, thermal interface material, external heat sink, and forced airflow.

The simplified thermal path was:

semiconductor junction
  -> package and base plate
  -> thermal interface material
  -> heat sink
  -> forced air
  -> enclosure outlet

The design team measured enclosure outlet air temperature during validation. They assumed that outlet air temperature would detect cooling degradation before the junction became unsafe. That assumption was only partly true. Outlet air temperature detected bulk heat removal, but it did not directly measure interface degradation, blocked fin channels, local recirculation, or junction-to-case rise.

Thermal Resistance Screen

The nominal thermal model used:

Segment	Thermal resistance
Junction to case	$0.055^\circ\text{C/W}$
Case to sink interface	$0.018^\circ\text{C/W}$
Heat sink to air	$0.028^\circ\text{C/W}$

Total nominal resistance:

R_{\theta,total}=0.055+0.018+0.028=0.101^\circ\text{C/W}

At $3.2\ \text{kW}$ heat generation:

\Delta T=P R_{\theta,total}=3200(0.101)=323^\circ\text{C}

This number is obviously too large for one module path if all $3.2\ \text{kW}$ were concentrated at one junction. The detailed design actually distributed heat across several parallel devices and heat-spreading paths. The simplified screen exposes the first lesson: aggregate heat load cannot be applied blindly to a single local resistance chain.

The useful local model must allocate loss per device group. For one device group dissipating $420\ \text{W}$ :

\Delta T_{local}=420(0.101)=42.4^\circ\text{C}

At $45^\circ\text{C}$ heat-sink inlet air, nominal junction temperature is:

T_j=45+42.4=87.4^\circ\text{C}

This appears safe relative to a $125^\circ\text{C}$ limit.

Degraded Cooling Condition

After months of operation, dust partially blocks the inlet filter and fan speed falls below nominal because of bearing wear. The effective heat-sink-to-air resistance for the local device group increases from:

0.028^\circ\text{C/W}

to:

0.075^\circ\text{C/W}

Updated local resistance:

R_{\theta,degraded}=0.055+0.018+0.075=0.148^\circ\text{C/W}

At the same $420\ \text{W}$ loss:

T_j=45+420(0.148)=107.2^\circ\text{C}

The device is still below the absolute limit, but margin is much smaller. If power loss rises with temperature, the final temperature can be higher than this fixed-loss estimate.

Positive Feedback

In power electronics, temperature can increase losses. Resistance, leakage current, switching behavior, diode recovery, magnetic loss, and control timing may all shift with temperature. Suppose local device loss increases by $0.45\%$ per degree Celsius above the nominal validation point.

Nominal validation point:

T_{j,nom}=87.4^\circ\text{C}

Degraded fixed-loss estimate:

T_{j,deg}=107.2^\circ\text{C}

Temperature increase:

\Delta T=107.2-87.4=19.8^\circ\text{C}

Estimated loss increase:

f_P=1+0.0045(19.8)=1.089

Updated loss:

P_{new}=420(1.089)=457\ \text{W}

Updated junction estimate:

T_j=45+457(0.148)=112.6^\circ\text{C}

The system remains below $125^\circ\text{C}$ in this simplified calculation, but the margin has fallen sharply. If ambient rises, fan speed drops further, or interface resistance increases, the design can cross the limit quickly.

Sensor Placement Problem

The installed temperature sensor measures enclosure outlet air. During the event, outlet air temperature rises from $55^\circ\text{C}$ to $68^\circ\text{C}$ . The shutdown threshold is $80^\circ\text{C}$ , so the controller keeps operating.

The limiting junction is not at $68^\circ\text{C}$ . It is estimated above $110^\circ\text{C}$ and rising. The outlet-air sensor sees the result of heat removal after mixing. It does not see local junction-to-case rise, local fin blockage, degraded interface material, or a hot spot behind a cable obstruction.

The failure mode is therefore not “no temperature sensor.” The failure mode is “sensor does not observe the controlling thermal node.”

Late Derating

The controller derates output power only when enclosure outlet air exceeds $75^\circ\text{C}$ . During the failure, the junction margin is already low while outlet air is still below the derating threshold.

A better derating structure would use multiple inputs:

heat-sink base temperature;
inlet air temperature;
fan speed or airflow proxy;
power-stage current and switching loss estimate;
calculated junction estimate;
rate of temperature rise;
filter differential pressure where available.

Derating should begin when the model predicts junction margin loss, not only when bulk air becomes hot.

Interface Degradation

Post-event inspection finds uneven thermal interface material near one power module. The likely mechanism is repeated thermal cycling and mounting-pressure variation. If case-to-sink resistance increases from:

0.018^\circ\text{C/W}

to:

0.045^\circ\text{C/W}

while degraded heat-sink-to-air resistance remains $0.075^\circ\text{C/W}$ , total local resistance becomes:

R_{\theta,fault}=0.055+0.045+0.075=0.175^\circ\text{C/W}

At $457\ \text{W}$ :

T_j=45+457(0.175)=125.0^\circ\text{C}

The model now reaches the nominal junction limit. The event is no longer a comfort-margin issue; it is a limit violation.

Failure Chain

The engineering failure chain is:

filter blockage and fan degradation
  -> higher sink-to-air resistance
  -> higher junction temperature
  -> increased electrical loss and thermal cycling
  -> interface degradation and local hot spot
  -> junction temperature approaches limit
  -> enclosure-air sensor under-represents local risk
  -> derating starts too late
  -> protective shutdown occurs after damage risk increases

No single item fully explains the event. The system failed because cooling, sensing, derating, and validation were not aligned with the controlling thermal path.

Protection Review

After the event, the team revises thermal protection:

add heat-sink base temperature sensing near the power module;
add fan-speed feedback and low-flow alarm;
lower derating threshold when inlet air is high;
estimate junction temperature from power loss and measured base temperature;
add rate-of-rise alarm;
define maintenance trigger for filter pressure drop or fan current change;
lock out restart after thermal shutdown until inspection clears the cause;
repeat thermal validation with blocked-filter and reduced-fan cases.

The new protection is based on thermal path evidence, not only enclosure air.

Validation Gap

Original validation tested:

nominal full load;
maximum ambient;
fan operating normally;
clean filter;
outlet-air temperature;
no repeated reassembly of thermal interface.

It did not test:

blocked filter;
fan-speed degradation;
partial recirculation;
local heat-sink base temperature;
degraded thermal interface;
combined high ambient and reduced airflow;
restart after thermal shutdown;
sustained operation near derating threshold.

The validation plan proved the nominal design, not the degraded thermal protection.

Corrective Test Matrix

The corrective validation matrix includes:

Test	Evidence required
Clean-filter full load	Junction estimate and heat-sink temperature below limit.
50 percent blocked filter	Derating begins before junction margin is consumed.
Fan low-speed fault	Alarm and load reduction occur before thermal limit.
High ambient plus full load	Product follows derating curve without oscillation.
Thermal interface reassembly	Temperature repeatability remains inside tolerance.
Restart after trip	Controller blocks restart until cooling state is acceptable.
Sensor disagreement	System enters conservative derating or inspection state.
Long-duration soak	No drift in base temperature, fan speed, or outlet-air trend.

The strongest test is not the one that recreates the exact event. The strongest test validates the protective logic over credible degraded states.

Transfer Lessons

Several lessons transfer to thermal systems beyond electronics:

Measure the controlling thermal node or estimate it from validated nearby measurements.
Bulk outlet temperature can hide local hot spots.
Degraded cooling must be part of validation, not only maintenance documentation.
Thermal interface assumptions need assembly control and repeatability evidence.
Derating should respond to predicted margin loss, not only late temperature thresholds.
Positive feedback between temperature and losses can erase margin faster than fixed-loss models suggest.
Restart logic after thermal shutdown is part of safety and reliability.

The case also shows why thermal management belongs in failure-mode review. Cooling is not an accessory to electrical performance. It determines whether the electrical system remains inside its safe operating area.

Common Mistakes

A common mistake is installing a temperature sensor where it is easy to place rather than where it can detect the limiting failure mode. A convenient sensor can be useful for trending but weak for protection.

Another mistake is validating only clean, nominal cooling. Filters clog, fans age, pumps degrade, fins foul, hoses kink, thermal interface materials age, and enclosures are installed near other heat sources.

A deeper mistake is assuming that thermal shutdown alone protects reliability. A shutdown threshold may prevent catastrophic failure while still allowing repeated operation at temperatures that damage solder joints, interfaces, insulation, electrolytic capacitors, semiconductors, or seals.

Thermal runaway and cooling failure are controlled by evidence: heat generation, heat path, sensor location, derating logic, degraded-operation tests, and maintenance triggers must all agree.

REF

Disciplines