Presentation on theme: "1 ECE 495 – Integrated System Design I ECE 495 - INTEGRATED SYSTEMS I Designing for Safety Timothy Burg."— Presentation transcript:
1 ECE 495 – Integrated System Design I ECE 495 - INTEGRATED SYSTEMS I Designing for Safety Timothy Burg
ECE 495 – Integrated System Design I Career Note: You are Expected to Improve Your Skills as Part of Your Job Document that you have added to your skills – May be used in evaluations by current employer – Use to market skills to new employer May be difficult to prove a skill on your resume. Many people are skeptical of self-learning. Possible options: – Certifications – Licensing – University Courses – Conference Attendance – Short Courses and Workshops
ECE 495 – Integrated System Design I Career Note: You are Expected to Improve Your Skills as Part of Your Job Certification (by a vendor or an independent testing agency) – The Novell Certified Engineer Enterprise Services (NCE ES) certification shows that you have acquired and can demonstrate engineer-level skills in product expertise. – National Rural Electric Cooperative Association Loss Control Professional Certification Licensing – FE Exam -> PE Exam Some companies pay more for PE PE required to work on certain types of projects such as public works Requirements for PE may increase later (??), require MS degree Enrollment in graduate school – Business classes – Technical classes
ECE 495 – Integrated System Design I Career Note: You are Expected to Improve Your Skills as Part of Your Job Conferences – American Control Conference ~1000 participants discussing new control theories and application Each block represents six 20 minute presentations Schedule for day 1 of a 3 day conference.
ECE 495 – Integrated System Design I Career Note: You are Expected to Improve Your Skills as Part of Your Job Short Courses sponsored by universities, companies, societies (e.g. IEEE) – Sold for profit Georgia Tech Professional Education (1 week, $1500)
ECE 495 – Integrated System Design I Career Note: You are Expected to Improve Your Skills as Part of Your Job Companies vary in philosophy and policies: Some pay for some activities like a workshop. Some will give you time for personal development. Bottom Line: When you interview, ask questions about professional development. YOU need to develop your skills even if the company doesn’t support you.
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Cruise Control Unit 20A Fuse Brake Pressure Switch (SCDS) Brake PositionSwitch Clutch Position Switch Approximate Electrical Connection +12V Cruise Control Regulates Speed of Car Stepping on Brake (or clutch) pedal deactivates cruise control Redundant signals to the controller Brake Pedal Brake Cylinder Brake Pressure Switch (SCDS) Clutch Position Switch Brake Position Switch +12V
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Pressure Switch Opens when Driver Applies the Brake Hydraulic Pressure when Brake Pedal is Pushed. Snap Disk Switch Toggles Position Electrical Contact Opens
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Ford has a specification for the durability of the switch. This is a continuous duty rating that should well encompass a lifetime of heavy use. ModuleSpeed Control Deactivation Switch Inputs0-150 psi hydraulic fluid OutputsNormally-closed switch,.25 A, 20V FunctionalityLast life of car f 400 (*) x y SCDS f 401 (*) Imagine how this would appear in a Functional Decomposition
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Pressure Switch Leaks earlier than predicted – hydraulic fluid leaks into the dry electrical area and deposits conducting “dendrites” Plastic (Insulator) Conductor to 12V car ground Switch at 12V potential above car ground Conducting Deposits
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall X-ray of new switch (left) and Switch after a short (right) Deposit and damage from over current Cruise Control Unit 20A Fuse Brake Pressure Switch (SCDS) Modified Approximate Electrical Connection +12V Up to 20A before fuse is triggered
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Test vehicle where switch caused fire. Large current could overheat the switch and lead to vehicle fires.
ECE 495 – Integrated System Design I Example – Ford Cruise Control Recall Result: One of the ten largest recalls of all time – Ordered by the National Highway Transportation Safety Administration (NHTSA) – Total vehicles recalled: 10.4 million – Total complaints: 1,472 (65 fires, 1 death) – Cost: – Cost of in-house investigation - Unknown – Cost of notification (certified letters) =~ $12.3 million – Cost of 1st dealer visit (2 hr) @ $50/hr = $205 million – Cost of 2nd dealer visit (2hr) = $ 205 million – Cost re-engineering and producing the part - Unknown – Cost of the re-engineered part @$21/part= $86.2 million – Total cost (real costs) = ~$508.5 million
14 ECE 495 – Integrated System Design I Generic Design Process Identify Need Research Specifications Concepts Design Prototype Testing Retire Maintain Use by Customer(s) Distribute and Sell Manufacture Safety is part of the Design: Look ahead to the product lifecycle and find possibilities for Failures and the Effects of these failures. Optimize design to make system as safe as possible Lesson: There are technical, professional, business, legal, and ethical elements that dictate a safe design.
15 ECE 495 – Integrated System Design I Outline Definitions – Vocabulary to talk about “Safety”. Why Worry About Safety? Specific Design Approaches for Electrical Circuits Risk Analysis – DFMEA Tool Conclusion
16 ECE 495 – Integrated System Design I SAFETY VOCABULARY Lightning Strikes near Space Shuttle
17 ECE 495 – Integrated System Design I Definition 1: Hazard Any substance, condition or circumstance that is capable of causing harm to human health, property, or the environment. Four general categories of hazards: – Physical hazards – heights, electricity, gears, high temperature, radiation, stored energy (e.g. springs) – Chemical hazards – all chemicals can be hazardous – Biological hazards – bacteria, fungus, virus, or oxygen deficiency – Ergonomic hazards – repetitive motions (e.g. data entry), lifting
18 ECE 495 – Integrated System Design I Definition 2: Effects (or Consequences) of a Hazard The potential harm to: – Human health (or death) – can cause cancer, birth defects, lung damage, liver problems, loss of limb, shock, burn, etc. – Property – may result in fire, contamination, corrosion, cessation of production, etc – The environment – deterioration of the air, land or sea emissions from controlled sources.
19 ECE 495 – Integrated System Design I Example: Effects (or Consequences) of Electrical Hazards Shocks - A person can become part of the circuit and the current passes through their body Electrocution - If a large enough current passes through the body death can result Burns - The current can produce heat in the body and cause burns Fires – A short circuit current may cause enough heat to build up to start a fire in surrounding flammable or combustibles. – An arc can occur which can cause temperature of thousands of degrees.
20 ECE 495 – Integrated System Design I Definition 3: Risk (or Failure) Probability The likelihood of a specified undesired event occurring within a specified period or in specified circumstances. It may be expressed as a frequency or probability. MIL-HDBK-217 (US Military Standard) is one source of models for electronic components. Resistor: P = b T P S Q E Failures/10 6 Hours Type (use table): Wire wound (e.g. 0.0024) Fixed Composition Film (e.g. 0.0037) Temperature (use table) Power (use table) Power Stress (use table) Quality (use table) Environment (use table) This is often difficult !
21 ECE 495 – Integrated System Design I Definition 4: Risk Risk ~ Effects x Exposures x Risk Probability – Effects can be expressed as dollars or # injuries – Exposures – number of times or amount of time the system is used – Risk Probability - likelihood of an event
22 ECE 495 – Integrated System Design I Example: Distinction between Risk and Hazard A rattlesnake is a poisonous snake whose bite can have severe effects. The rattlesnake is a hazard because it can do harm. This hazard is an inherent property of rattlesnakes. If you are in a small room with a live rattlesnake, there is a high probability that you will get bitten. Same rattlesnake is confined to a cage - it is the same rattlesnake as before and still has the same hazard. The hazard is an inherent property of the snake and it hasn’t been changed by putting it in a cage. However, the risk of being bitten by the snake is very low because the hazard is being controlled. Hazard control is about finding an effective control to reduce the risk. Risk = Exposure * Effect * Probability -> High Risk Risk = 0 * Effect * Probability -> Low Risk Design to Reduce Exposure
23 ECE 495 – Integrated System Design I Example: We make Decisions About Risk in Our Daily Lives ActivityPossible Hazards EffectsProbabilityRisk Picnic (food in basket) Spoiled foodIllnessHigh Picnic (food kept in cooler) Spoiled foodIllnessLow Mountain climbing (no safety equipment) HeightFall - Injury or death High Mountain climbing (safety rope) HeightFall - Injury or death Low Walking outdoorsGetting hit by a falling satellite Injury or deathAlmost Zero You make a decision to participate by weighing the Effects and the Risks. We will formalize this approach for making decisions about a design. * Assuming number exposures = 1 for a one-time activity.
24 ECE 495 – Integrated System Design I Definition 5: Accident Unexpected or unintentional event Manifestation of a hazard Hazard Effects Exposure Risk Probability Risk Accident
25 ECE 495 – Integrated System Design I Definition 6: Safety Safety is the practical certainty that harm will not occur Safety is the state of being free from danger, risk or injury in the workplace, the environment, and as a consumer Safety is the attempt to control all of the hazards (minimize risk) so that an accident does not occur
26 ECE 495 – Integrated System Design I Example: Is 99.9% Safe, Safe Enough? 99.9 % Reliable -> 1 Defect per Thousand Units – 18 Airplane crashes per day – 17,660 pieces of mail lost per day – 10 babies dropped in delivery per day – $24.8 million to/from wrong bank accounts every hour – 500 incorrect operations per week Would you consider this risk acceptable? Is 99.9999% safe enough? 1 in a million would suggest 10 events for the speed control on the 10 million Ford cars.
27 ECE 495 – Integrated System Design I Safety – How Safe?, Acceptable Risks Zero Risk is impossible to achieve (unless hazard is eliminated) Risk can be reduced but there is always a residual risk The question is whether the residual risk is the same as an “Acceptable risk” Special Note of Caution: There is no general consensus of “Acceptable Risk” No product should be designed or a process operated that will knowingly result in death or injury
28 ECE 495 – Integrated System Design I CONSIDERATIONS IN DESIGNING FOR SAFETY - WHY WORRY ABOUT SAFETY?
29 ECE 495 – Integrated System Design I Business: Economic Costs of Accidents sing The Iceberg Effect (example of an industrial accident) Medical costs Indemnity payments Direct Costs Indirect Costs Lost time by: Injured Fellow Worker Supervisor Damaged Product Unhappy Customers Time Schedule delays Train New Employee Overhead costs Legal fees Increase in insurance costs Tip of the Iceberg - Direct Costs $1.00 Indirect or hidden costs are often more than $30 - $50 for each $1 of direct costs.
30 ECE 495 – Integrated System Design I Business: Image Costs of Recalls FDA Food, drugs, medical devices, cosmetics 4,628 National Highway Traffic Safety Administration (NHTSA) Vehicles, tires, child-safety seats 529 Consumer Product Safety Commission (CPSC) Everyday products from clothes to coffeemakers 280 Department of Agriculture Meat, poultry, egg products, etc 68 EPA Pesticides, car-emission systems 32 recalls. Coast Guard Boats and boating equipment 36 Number of Product Recalls by the Responsible Agency in 2003
31 ECE 495 – Integrated System Design I Legal: Safety Laws and Regulations OSHA (The Occupational Safety and Health Act, 1970) OSHA, is in the Department of Labor and the OSHA regulations are found in: – General Industry 29 CFR 1910. – Construction 29 CFR 1926. EPA -The U.S. Environmental Protection Agency (1970 ). The regulations are found in: – 40 CFR261 (Identification and listing of Hazardous wastes CPSC - Consumer Product Safety Commission – 16 CFR 1115. 31
32 ECE 495 – Integrated System Design I Ethical: Moral Obligation to Protect People Most people would agree that they don’t want to harm others. Engineers should not design a product or operate a process that will knowingly result in loss of life, injury.
33 ECE 495 – Integrated System Design I Professional: Code of Electrical Engineers IEEE Code of Electrical Engineers We, the members of the IEEE, recognition of the importance of our technologies in affecting the quality of life throughout the world… agree: to accept responsibility in making decisions consistent with the safety, health and welfare of the public and to disclose promptly factors that might endanger the pubic or the environment
34 ECE 495 – Integrated System Design I Customer Expectations: Often Benefits from Safety Analysis Process Improved designs – Increase in reliability, quality and safety Cost savings – Decrease in development time, warranty costs and waste
35 ECE 495 – Integrated System Design I DESIGNING FOR SAFETY – SPECIFIC ELECTRICAL CONSIDERATIONS
36 ECE 495 – Integrated System Design I Electrical Protection - Protective Devices Limit or stop the flow of current automatically in the event of: – a ground fault – overload – short circuit in the wiring system – switching transients Provide safe current route
37 ECE 495 – Integrated System Design I Device: Ground Grounding devices provides a safe path if fault occurs
38 ECE 495 – Integrated System Design I Device: Fuses and Circuit Breakers Fuses and circuit breakers Goal is to disconnect power source in the event of “too much” current Slow Acting - allows for inrush currents – Slow Blow/Time Lag/ Time Delay fuses – i 2 t Fast Acting – trips on maximum current Very Fast Acting – trips on maximum current – 2 millisecond time frame to protect power semiconductors
39 ECE 495 – Integrated System Design I Device: Ground Fault Circuit Interrupter (GFCI) GFCIs can cut the current in 1/40 of a second and less than 5 milliamps. Compares hot and neutral wire currents, if not equal then the current is going somewhere it shouldn’t Protect persons from severe or fatal electric shocks The GFCI is designed to protect people from severe or fatal electric shocks.
40 ECE 495 – Integrated System Design I Device: Arc Fault Circuit Interrupter (AFCI) Protect against fires caused by arc faults. – Arc may have a temperature of 35,000ºF. – AFCIs are required in homes beginning in 2008 by the National Electric Code (NEC) – Use current signature to determine arc fault
41 ECE 495 – Integrated System Design I Device: Thermal Sensing Stops current when temperature of device exceeds a specific value One-shot cutoffs designed to protect against over-heating
42 ECE 495 – Integrated System Design I Device: Polarized Cable Plugs Polarized AC plug prevents this situation No voltage between Internal circuit and ground Off Voltage between Internal circuit and ground!
43 ECE 495 – Integrated System Design I Device: Interlocks System is de-energized by opening of doors or panels.
44 ECE 495 – Integrated System Design I Labels: Signs, Tags and Placards, Instructions, Lockouts OSHA 29 CFR 1910.145 Signs and Tags Radiation Hazard Biological Hazard
45 ECE 495 – Integrated System Design I Other Standards, Rules of Thumb, Conventions to Increase Safety Battery operated tools removed the 110 Volt hazard and it’s associated harm. Double-insulation: an insulation system comprised of basic insulation and supplementary insulation. Generally, if equipment is double insulated, it does not need to be earthed.
46 ECE 495 – Integrated System Design I Other Standards, Rules of Thumb, Conventions to Increase Safety Insulation (appropriate for environment and use); Guarding (adequate barriers so that electrical hazards are not readily accessible such as cabinets, elevation, etc); Proper size wiring (especially for extension cords); Proper materials (aluminum connections can oxidize and create fires) Follow codes for electricity in hazardous environment such as flammable liquids and wet environments) Isolation transformers.
47 ECE 495 – Integrated System Design I Other Standards, Rules of Thumb, Conventions to Increase Safety - + 120 V Thermal Switch Could use 2 similar switches Probability that switch Closes or Opens as requested = 0.99 P (continuity) P(S 1 Closes) P(S 2 Closes) P(S 1 Closes) P(S 2 Closes) P (continuity) P (Open) P(S 2 Opens) P(S 1 Opens) P (Open) P(S 1 Opens) P(S 2 Opens) P=.[.99] =.9801 P=1-[1-.99] [1-.99] =.9999 P=.9999 P=.9801 Redundancy – use multiple components that perform the same task
48 ECE 495 – Integrated System Design I AN APPROACH TO MANAGING HAZARDS – DESIGN FAILURE MODES EFFECTS ANALYSIS (DFMEA)
49 ECE 495 – Integrated System Design I Risk Management and Accident Prevention Primary goal: No harm occurs when a system fails. How is this systematically accomplished in the design process? – Failure analysis tools
50 ECE 495 – Integrated System Design I Design Failure Modes and Effects Analysis (DFMEA) Bottom up approach: Failures->Effects Developed by US military 1949 Procedure – Start with a block diagram – Create a Table that pairs Failures with Effects and an evaluation of the effects – Make adjustments to reduce risks Documentation of this activity usually required.
51 ECE 495 – Integrated System Design I Risk Assessment Procedure Prepare detailed block diagram about proposed system or process List of all hazards Accident possibilities & scenarios Accident ProbabilityAccident Consequences Table: Risk (Estimation) Is the Risk for all Hazards Acceptable? Modify Design NoYes Construct and/or operate system or process
52 ECE 495 – Integrated System Design I DFMEA Table Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbability of Failure Severity of Effect Risk Index A - E I - IV Severity- Probability Row for each Component or subsystem Row for each hazard
53 ECE 495 – Integrated System Design I Risk Assessment Matrix - Probability Definitions Hazard Probability Levels DescriptionLevelIndividual itemFleet or Inventory FrequentALikely to occurContinuously experienced ProbableBWill occur several time in the life of item Will occur frequently OccasionalCLikely to occur sometime in the life of Item Will occur several times RemoteDUnlikely, but possible to occur in life of item Unlikely but reasonably possible to occur ImprobableESo unlikely that it can be assumed occurrence may not be experienced Unlikely to occur but possible.
54 ECE 495 – Integrated System Design I Risk Assessment Matrix - Severity Categories Hazard Severity Categories CategoryDefinition Catastrophic (l) Death or permanent injury. Loss of major system or equipment. Major property damage. Severe environment damage. Critical (ll ) Extensive damage to equipment or systems. Severe injuries. Significant damage to property or the environment. Marginal ( lll ) Minor damage to equipment or systems, property, or the environment. Injury or illness. Negligible (IV) Little or no adverse impact. First aid or minor medical treatment. Slight equipment or system damage but fully functional and serviceable. Little or no property or environment damage.
55 ECE 495 – Integrated System Design I Sample DFMEA Approach Describe Components Identify realistic failure modes Determine symptoms of each mode Determine effects of each mode Determine probability of an occurrence. – E.g.. A,B,C,D, E Assess injury potential – E.g.. I,II, III, IV Determine Risk Index Decide what action is necessary
56 ECE 495 – Integrated System Design I Risk Assessment Matrix Very A Probable B Probable C Occasional D Remote E Improbable Negligible Marginal Critical Catastrophic HIGH SERIOUS MEDIUM LOW Severity I II III IV lAlBlClDlE IIBIIAIICIIDIIE IIIA IIIBIIICIIID IIIE IVAIVBIVCIVDIVE Likelihood Tool for categorizing Risk Index
57 ECE 495 – Integrated System Design I DFMEA Example: Power Supply TransformerRectifierCapacitor 120VAC Cord and Plug 12 VDC Regulator
58 ECE 495 – Integrated System Design I DFMEA Power Supply Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbability of Failure Severity of Effect Risk Index Cord / Wall plugPlug broken / bent No power output May have exposed energized metal CIVIV-C Cord frayed / weakened Cord endpoints visible despite insulation May have exposed energized metal; short circuit / fire possible CIVIV-C Input over voltage Output over voltage; possible internal circuit failure Power spike; plug connected to wrong connector AII-A Input Transients when connecting Output transients May cause undesired output voltage waveform BII-B
59 ECE 495 – Integrated System Design I DFMEA Power Supply Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbability of Failure Severit y of Effect Risk Index TransformerMetal core overheats / over current Device produces excessive heat May cause insulation failure / fire CIVIV-C Insulation failure Susceptible to overheating / May have exposed metal Unsafe when energized; short circuit / fire possible CIVIV-C Interference from external magnetic field Output may have AC component May damage any device connected AII-A
60 ECE 495 – Integrated System Design I DFMEA Power Supply Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbability of Failure HazardRisk Index Rectifier / Capacitor Circuit component failure No power output; possible half-wave output (output is AC) May damage connected equipment CIIII-C Short circuitOutput pins connected together May cause transformer failure or power system fuse to fail CIIIIII-C Voltage RegulatorDiode FailureVoltage at output higher than expected Damage to connected device, e.g. cell phone or iPod CIIII-C
61 ECE 495 – Integrated System Design I DFMEA Power Supply Very A Probable B Probable C Occasional D Remote E Improbable Negligible Marginal Critical Catastrophic HIGH SERIOUS MEDIUM LOW I II III IV lAlBlClDlE IIBIIAIICIIDIIE IIIA IIIBIIICIIID IIIE IVAIVBIVCIVDIVE Risk Indices for Power Supply
62 ECE 495 – Integrated System Design I Limitations of Safety Analysis Frequently, human errors and hostile environments are overlooked. If the system is at all complex the process can be extraordinarily tedious and time consuming. Failure probabilities can be hard to obtain; obtaining, interpreting, and applying those data to unique or high-stress systems introduces uncertainty which itself may be hard to evaluate. Not possible to predict all failure modes.
63 ECE 495 – Integrated System Design I Must Consider Life of Product Must consider all phases of operation Product Life (Life 1, Life 2, 50 years) – Use – Manufacture – Distribution Life Example of doors with windows stacked so the window holes align, stevedore fell through hole when walking over. Alternate door stacking to eliminate the big hole – Disposal 63
64 ECE 495 – Integrated System Design I Conclusion Definitions Reasons to Consider safety – Business (Economic) – Legal – Ethical – Professional – Customer Expectations DFMEA is one approach to systematically analyze system for risk. Hazard – something that could cause harm Effect = amount and type of harm Accident – incident has happened Exposures – number of uses Risk Probability – likelihood hazard will occur Risk ~ Effect *Exposures * Probability
65 ECE 495 – Integrated System Design I Relevant Organizations MIL-Spec Military Specification NEMA National Electrical Manufacturers Association NFPA National Fire Protection Association NEC 1999 National Electrical Code FAA Federal Aviation Administration UL Underwriters Laboratories
66 ECE 495 – Integrated System Design I FMEA Example: Pressure Cooker Middendorf, Design of Devices and Systems
67 ECE 495 – Integrated System Design I FMEA Example: Pressure Cooker Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbab ility of Failure Severity of Effect Risk Index Pressure GaugeFalse High Reading Needle Stuck; High reading with lid off Dinner under cooked; food poisoning False Low Reading Needle Stuck; Clogged Inlet Dinner Over Cooked; Open Cooker -> Explosion Thermostat SwitchOpenNo Heat Production Food not cooked; food poisoning ClosedContinuous Heating; Food Burned Safety Valve Protects (Potential Explosion)
68 ECE 495 – Integrated System Design I FMEA Example: Pressure Cooker Description of Component or Subsystem Failure Mode (Hazard) SymptomEffectProbabi lity of Failure Severity of Effect Risk Index Safety ValveOpenBroken Spring; Continuous release steam Steam Burns ClosedCloggedTemperature Control Protects (Potential Explosion) LeaksContinuous release steam Steam Burns Lid ClampFractured or Thread strip Hard to turn screws Explosive Pressure Release
69 ECE 495 – Integrated System Design I Air intake Electronic Throttle Control Computer Electronic Sensor Gas Pedal cable Air Intake Throttle Valve Gas Pedal Another Design Challenge? Electronic Interference???