Reliability and Safety Analysis
advertisement
ECE 477 Digital Systems Senior Design Project Rev 9/12 Homework 11: Reliability and Safety Analysis Team Code Name: ___COST Robot______________________________ Group No. ___7__ Team Member Completing This Homework: ___Bryan Dallas________________ E-mail Address of Team Member: _bdallas____ @ purdue.edu NOTE: This is the third in a series of four “professional component” homework assignments, each of which is to be completed by one team member. The body of the report should be 3-5 pages, not including this cover page, references, attachments or appendices. Evaluation: SEC DESCRIPTION MAX 1.0 Introduction 5 2.0 Reliability Analysis 40 3.0 Failure Mode, Effects, and Criticality Analysis (FMECA) 40 4.0 Summary 5 5.0 List of References 10 TOTAL 100 Comments: Comments from the grader will be inserted here. SCORE ECE 477 Digital Systems Senior Design Project Rev 9/12 1.0 Introduction The COST Robot will traverse a maze and create a digital map of that maze. When it has finished creating a map of the maze, previous user input will be used to direct the robot to visit colored lights throughout the maze in a specified order. At the end of these tasks the robot will be able to hook up to a computer via a USB port and a maze will be transferred to a PC program which will interpret and show the maze to the user. All of these things must work reliably for the robot to be useful to the user. The power supply will be the most critical part, because the robot is mobile if the power circuitry fails the robot will be rendered useless. Along with this the microcontroller and oscillator will become major parts as they allow the robot to run given that power is supplied. Finally, the H-bridge is very important as it allows the robot to move as is necessary for many of the functions the robot performs. Each part of the robot is essential to some kind of task, but these parts will hinder the robot the most from completing the task. Along with this in mind these parts can be the most harmful to the user in a failure, because the robot may move erratically if the motor control is compromised. Also, the power supply is a dangerous part of any design. With the wrong setup or a broken part, high current could flow where it shouldn’t and harm the user, by heat or some other method. 2.0 Reliability Analysis Reliability is an important factor for any product, consumer or otherwise. Reliability can be measured from the reliability of the parts. The parts analyzed below using the MIL-Hdbk-217f [1] are the parts that are most likely to fail. These parts were picked because of the fact they have high complexity to manufacture or because of their high operating temperature. The PIC18F4550 Microcontroller [2] was picked because of its high complexity, with the 44 pins and the fact it is an 8 bit microprocessor. The MIC29150 Low Dropout Regulator [3] and the TI L293 Quadruple Half-H Driver [4] were picked because of their higher operating temperatures. Finally, the CTS CB3 HCMOS/TTL Clock Oscillator [5] was picked not because of complexity nor operating temperature, but because oscillators are commonly accepted as sources of failure. PIC18F4550 Microcontroller [2] Model Equation: 𝛌𝑷 = (𝑪𝟏 𝝅𝑻 + 𝑪𝟐 𝝅𝑬)𝝅𝑸 𝝅𝑳 Parameter name Description Value -1- Comments ECE 477 Digital Systems Senior Design Project C1 Die complexity failure rate .14 πT Temperature factor .98 C2 Package failure rate .016676 πE Environment factor 4 πQ Quality factor 10 πL Learning factor 1 λP Failure rate per 10^6 2.039032 hours Mean Time To Failure 490428.7917 MTTF Rev 9/12 Based on the MIL-Hdbk217f [1] for 8 bit microcontrollers Assuming a worst case junction temperature of 85C based on worst operating temp of microcontroller Based on equation from MIL-Hnbk-217f page 5-14 [1] for SMT with 44 pins Handbooks value for mobile devices Assumed from the notes that this is the value to use, most likely the value is too large Number used for devices older than 2 years in production Approximately 55 years to a failure for one device MIC29150 Low Dropout Regulator [3] Model Equation: 𝛌𝑷 = (𝑪𝟏 𝝅𝑻 + 𝑪𝟐 𝝅𝑬)𝝅𝑸 𝝅𝑳 Parameter name Description Value Comments C1 Die complexity failure rate .01 πT Temperature factor 58 C2 Package failure rate .00092 πE Environment factor 4 πQ Quality factor 10 Based on the MIL-Hdbk217f [1] for devices with 100 or less bipolar transistors Assuming a worst case junction temperature of 125C based on worst junction temp of the regulator Based on equation from MIL-Hnbk-217f page 5-14 [1] for SMT with 3 pins Handbooks value for mobile devices Assumed from the notes that this is the value to use, most likely the value is too large -2- ECE 477 Digital Systems Senior Design Project πL Learning factor λP Failure rate per 10^6 5.8368 hours Mean Time To Failure 171326.7544 MTTF 1 Rev 9/12 Number used for devices older than 2 years in production Approximately 19.5 years to a failure for one device TI L293 Quadruple Half-H Driver [4] Model Equation: 𝛌𝑷 = (𝑪𝟏 𝝅𝑻 + 𝑪𝟐 𝝅𝑬)𝝅𝑸 𝝅𝑳 Parameter name Description Value Comments C1 Die complexity failure rate .01 πT Temperature factor 58 C2 Package failure rate .0056 πE Environment factor 4 πQ Quality factor 10 πL Learning factor 1 Based on the MIL-Hdbk217f [1] for devices with 100 or less bipolar transistors Assuming a worst case junction temperature of 125C based on worst estimated junction temp of the H-bridge Based on equation from MIL-Hnbk-217f page 5-14 [1] for SMT with 16 pins Handbooks value for mobile devices Assumed from the notes that this is the value to use, most likely the value is too large Number used for devices older than 2 years in production λP Failure rate per 10^6 6.024 hours Mean Time To Failure 166002.656 MTTF Approximately 19 years to a failure for one device CTS CB3 HCMOS/TTL Clock Oscillator [5] Model Equation: 𝛌𝑷 = 𝛌𝒃 ∗ 𝝅𝑸 ∗ 𝝅𝑬 Parameter name Description Value Comments λb Base failure rate .027 πQ Quality factor 2.1 Based on the MIL-Hdbk217f [1] for devices with 20 MHz frequency Based on devices with a -3- ECE 477 Digital Systems Senior Design Project πE Environment factor λP Failure rate per 10^6 .567 hours Mean Time To Failure 1763668.43 MTTF 10 Rev 9/12 non MIL-SPEC Handbooks value for mobile devices Based on a quartz oscillator calculation Approximately 201 years to a failure for one device The overall system of this project is reliable. All of the parts have a reliability within the same scale of 10^-6 failures per hour. Also, the system will not be a highly bought solution; therefore a slightly higher failure rate is acceptable. The best way to improve reliability of the design would be to buy military parts, which would reduce each by a factor of 5. This could be an acceptable increase in price because the niche for the market of this product is so small, so someone buying this would be willing to pay more. 3.0 Failure Mode, Effects, and Criticality Analysis (FMECA) This design was analyzed with two criticality levels, low and high. The low criticality level is anything that will disrupt the complete operation of the robot without possible harm to the user. The high criticality level is anything that could possibly harm the user. In the low criticality level category problems such as no LEDs, or no power would be problems. Examples of high criticality problems are overcharge of the battery, or overheating of the voltage regulator. For the low criticality problems < 10-6 would be an acceptable occurrence. For high criticality problems the preference would be to keep the rate below 10-9 because it could be damaging to the user. Some of the failure modes were assuming the user could access the parts and could burn or harm themselves by touching them. 4.0 Summary The design seen in this report could have a better failure rate and this could be decreased by using higher quality parts. The robot has many ways in which it could potentially fail. Some of these ways could be potentially harmful to the user. Safety is essential to any design and as such the design above was analyzed to give the ability to lower the likelihood of problems occurring. Using the data above, the ways in which the design can fail are able to be seen and in this way -4- ECE 477 Digital Systems Senior Design Project Rev 9/12 the robot can be redesigned some to lower the likelihood of them happening. The robot would be designed to reduce the likelihood of the high criticality modes down to 10-9 or less because they could be harmful to the user. The lower criticality modes would be designed for 10-6 or less because they would not be harmful to the user. Altogether from this analysis it can be seen the most possibilities of failure come first from the power supply, then the microcontroller, then the H-bridge. In redesigning the robot, these sections would have more safety checks in effect. -5- ECE 477 Digital Systems Senior Design Project Rev 9/12 5.0 List of References [1] Military Handbook Reliability Prediction of Electronic Equipment, 217F ed., Dept. of Defense, Washington D.C., 1991. [2] Microchip, “28/40/44-Pin, High-Performance, Enhanced Flash, USB Microcontrollers with nanoWatt Technology,” PIC18F2455/2550/4455/4550 datasheet, Oct. 2005. [3] Micrel, “High-Current Low-Dropout Regulators,” MIC29150/29300/29500/29750 datasheet, Dec. 2012. [4] Texas Instruments, “Quadruple Half-H Drivers,” L293(D) datasheet, Sep. 1986 [Revised Nov. 2004]. [5] CTS, “HCMOS/TTL Clock Oscillator,” CB3(LV) datasheet. IMPORTANT: One of these should be MIL-HDBK-217F. Relevant component data sheets should also be included. Use standard IEEE format for references, and CITE ALL REFERENCES listed in the body of your report. Any URLs cited should be “hot” links. -6- ECE 477 Digital Systems Senior Design Project -7- Rev 9/12 ECE 477 Digital Systems Senior Design Project Appendix A: Schematic Functional Blocks Figure 1 - Microcontroller Subsection -8- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 2 – Fuel Gauge Subsection -9- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 3 – User I/O LEDs -10- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 4 – User I/O Input Buttons -11- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 5 – User I/O Reset Button -12- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 6 – Power Subsection -13- Spring 2009 ECE 477 Digital Systems Senior Design Project Figure 7 – Motor Controller Subsection -14- Spring 2009 ECE 477 Digital Systems Senior Design Project Spring 2009 Appendix B: FMECA Worksheet Sub-blocks A- Microcontroller B- Fuel Gauge C- User I/O D- Power E- Motor controller Failure No. A1 Failure Mode Possible Causes Pin output stuck at ‘1’ Over voltage to the microchip A2 Pin output stuck at ‘0’ Under voltage to microchip, microchip “burned” out A3 Failure of A/D channel(s) Chip defect, software malfunction, bad reference lines, noisy power lines B1 Battery reading discharging to quickly Rsense shorted, Cf shorted Failure Effects Method of Detection Observation – Inspect pins, overheated Hbridge Short circuit in Hbridge, LEDs always off, invalid USB communication LEDs stuck on, Observation – fuel gauge does All LEDs stuck not turn on, on, probing pins unable to control motors Erratic movement Observation – of the robot Robot does not move through the maze correctly Misinformation to Observation – the user about the battery indicator battery state drops quickly -15- Criticality Remarks High This assumes that multiple pins are stuck at ‘1’ Low This could be 1 or more pins stuck at ‘0’ High Low ECE 477 Digital Systems Senior Design Project Spring 2009 Observation – robot is not running Low Observation – Battery discharges at an slower rate than reality Observation – Microcontroller stops working, probing the resistors Observations – button presses are erratic Low No information to user Observation – LEDs don’t work Low Short to battery, no power to circuit Kills the battery quickly by drawing to much current High B2 Battery reading not discharging Rsense open circuited Thinks the battery is not discharging, no power to board B3 Battery discharging at too slow a rate Cf open circuited, R16/R17 open circuited Misinformation to user about the battery state C1 Microcontoller stops working R(7-12) or R14/15 short circuits Robots stops running C2 User input fails R13/14/15 open circuits User buttons are floating C3 LEDs don’t turn on R(7-12) open circuits D1 No power to circuit Cout_reg, Cpow5d, Cin_reg, Cinbulk, Cdpowin short circuited, linear regulator dead -16- Low Low This assumes the micro will stop working from too much current to the micro from the I/O ECE 477 Digital Systems Senior Design Project Spring 2009 D2 5V Power rail > 5V Linear regulator failed Damage to components on PCB Observation – regulator too hot, smoke High D3 5V Power rail < 5V Linear regulator failed Robot doesn’t work Observation – smell or probing circuit High D4 7.4 V Power rail > 7.4 V Overcharging/Failure of battery Damage to all components Observation – bloated battery/battery leakage, etc. High D5 7.4 V Power rail < 7.4 V Battery level too low, battery “died” Robot will not turn on, or is unstable Observation – Robot does not work Low E1 Erractic behavior of output pins of digital isolator Decoupling capacitors shorted Unable to control robot Observation – Robot will move erratically High E2 No output to motors Digital isolators failed, H-bridge failed, Cd(1/2)_iso(1/2) open circuited Motors will not run Observation – robot does not move Low It is not necessary to calculate the probability of each failure mode. These numbers would usually be taken from the reliability analysis, but since you are not performing a complete analysis, they do not need to be included in your FMECA worksheet. -17-
