ECE 477 Digital Systems Senior Design Project Spring 2008
Homework 11: Reliability and Safety Analysis
Due: Friday, April 4, at NOON
Team Code Name: Touch 2 Order Group No. 13
Team Member Completing This Homework: Anvesh Dasari
e-mail Address of Team Member: adasari @ purdue.edu
Evaluation:
SCORE
/DESCRIPTION
10 /Excellent – among the best papers submitted for this assignment. Very few corrections needed for version submitted in Final Report.
9 /Very good – all requirements aptly met. Minor additions/corrections needed for version submitted in Final Report.
8 /Good – all requirements considered and addressed. Several noteworthy additions/corrections needed for version submitted in Final Report.
7 /Average – all requirements basically met, but some revisions in content should be made for the version submitted in the Final Report.
6 /Marginal – all requirements met at a nominal level. Significant revisions in content should be made for the version submitted in the Final Report.
* /Below the passing threshold – major revisions required to meet report requirements at a nominal level. Revise and resubmit.
* Resubmissions are due within one week of the date of return, and will be awarded a score of “6” provided all report requirements have been met at a nominal level.
Comments:
Comments from the grader will be inserted here.
1.0 Introduction
The ‘Touch 2 Order’ device is designed exclusively for restaurants where the user can order food from the comfort of his table through the touch screen menu and pay for it using an RFID card. The order is wirelessly sent to the server in the kitchenette through an in built Zig Bee wireless interface after the transaction is done.
The main functional blocks of the device include the power supply, microcontroller and battery circuit. The issues with microcontroller may arise during the software stages. The blocks which may give rise to safety and reliability issues once the product is finished are the power supply and battery circuit. The failure in power supply may cause damage to the components of the device which are less critical but some failures in the battery circuit may be highly critical causing damage to the user.
2.0 Reliability Analysis
We chose three components, one each from the three main functional blocks of our design, the microcontroller, MAX 1651 from power supply block and MAX 1660 from battery circuit block. All these components are considered as MOS devices according to the military handbook [1]. So assumptions were made accordingly while calculating the number of failures / 106 hours and the mean time to failure MTTF.
According to the military handbook the number of failures for 106 hours for the microcontroller can be calculated using the formula [1]. From the data sheet of the microcontroller it was found out that the average junction temperature TJ was 85oC [2]. Based on this value and the corresponding results in the military handbook all the values needed in the above formula were found. Since the component is a MOS device, the die complexity failure rate, C1 = 0.28 and also, the number of pins was 80 and surface mounted, package failure rate, C2 = 0.032 [1], [2]. Another assumption was the environment which was assumed to be GB gave the environment factor = 2. From the class B-1 category the quality factor was found out to be 2 and the learning factor was taken as 1. For microcircuits the temperature factor = 7 at 85oC [1]. So by computing all the values in the equation the lp was 4.048 Failures / 106 hours and the mean time to failure MTTF was 676.7 years.
Component / C1 / C2 / / / / / lp(Failures/106 hours) / MTTF (years)
Microcontroller / 0.28 / 0.032 / 2 / 2 / 1 / 7 / 4.048 / 676.7
Table 2.1 Calculation of lp and MTTF for Microcontroller
Similarly the formula used for the microcontroller can also be used for the MAX 1660 (battery monitor) and MAX 1651 (3.3 V DC-DC voltage regulator) as they can also be considered as MOS devices [3], [4]. Since the datasheets of these components didn’t have enough information on the average junction temperature, it was assumed as 85oC which was just above the maximum operating temperature. Also assuming the similar factors for these two components as the microcontroller the learning factor, quality factor, temperature factor and environment factor were found from the military handbook as 1, 2, 0.98, and 2 respectively [1]. For MOS devices with No. of Gates ranging from 1-100, the die complexity failure rate, C1 = 0.0025. The only value that is different for these two components is the package failure rate C2 since they differ in the No. of pins. The No. of pins for MAX 1660 and MAX 1651 are 16, 8 respectively which give a value of C2 = 0.0056 for the former and C2 = 0.0026 for the later [1], [3], [4]. So computing all the values and calculating the number of failures per 106 hours and MTTF gave the following results. For MAX 1660 lp = 0.0273 failures / 106 hours and MTTF = 36.6e6 and for MAX 1651 lp = 0.0153 failures / 106 hours and MTTF = 65.359e6.
Component / C1 / C2 / / / / / lp(Failures/106 hours) / MTTF (years)
MAX 1660 / 0.0025 / 0.0056 / 2 / 2 / 0.98 / 1 / 0.0273 / 100.273e3
MAX 1651 / 0.0025 / 0.0026 / 2 / 2 / 0.98 / 1 / 0.0153 / 179.065e3
By observing the above calculated values for the three components it is known that the rate of failure is very less. So there may not be any major changes in the design or analysis refinements that may realistically improve the reliability of the design. Since the major cause is the operating temperature which may gradually increase the rate of failure modifications can be made to control the temperature of these components so that it wouldn’t reach the junction temperature. One of those considerations may be implementing fan to allow heat dissipation of the devices.
3.0 Failure Mode, Effects, and Criticality Analysis (FMECA)
The ‘Touch 2 Order’ device has 3 main functional blocks. They are the power supply circuit, microcontroller and the battery charger and monitor circuit. Each block has its share of failure modes, effects and criticality levels. The criticality levels for our design are high if there is any injury involved to the user with a rate of lp 10-9 and low if it involves any damage to components, inconvenience to the user and any signal loss with a failure rate 10-9 lp < 10-3.
3.1 Power Supply Circuit
As shown in Appendix A the functional block of the power supply circuit consists of the DC-DC voltage regulators MAX 1649 and MAX 1651 which give an output of 5 V and 3.3 V respectively [3], [4]. There are four failure modes in this functional block that may occur. One of which is that there is no output voltage which can be caused by the failure of a certain component of the device or due to an external short. In this kind of failure mode it may lead to a total device failure. This is a low critical failure mode as there is no injury to the user. The other failure modes that may occur are the output voltage crossing the values of 3.3 V and 5 V. Since the Microcontroller, XBee Pro Wireless transceiver and the LCD work with an operating voltage of 3.3 V. A voltage increase for these components may lead to the damage of the respective components. A possible cause may be the failure of MAX 1651 which generates the output voltage of 3.3 V. Similarly a failure of MAX 1649 may lead to an output voltage more than 5 V causing damage to the RFID reader. These are very less critical as only damage of components is involved. Sometimes the output voltage may go out of tolerance when there is a failure in the DC-DC voltage or regulators or a short in the bypass capacitors for which the effects may be unpredictable. This is critically high as it may produce excessive heat dissipation causing potential for injury to the user. All the above failure modes are observable from the operation of the device.
3.2 Microcontroller
Another functional block shown in Appendix A is the microcontroller which involves minor failure modes where the communication with the components connected to it would be lost. So there are three major components connected to the microcontroller, the XBee Pro wireless transceiver, LCD touch screen and the RFID reader. So the failure modes are connection lost with the host server, blank LCD screen and data not being retrieved from the RFID reader. The possible cause for these failures may be a damage caused to the microcontroller or an error in the software involving the respective components. So there would be no transfer from the microcontroller to the respective components. These failures may be detected by mere observation and are critically low.
3.3 Battery Circuit
The final important functional block of the ‘T2O’ is the battery charger and monitor circuit. Three modes of failure were detected in this functional block which includes MAX 712 the chip for battery charging circuit and MAX 1660 the chip for battery monitoring circuit. One of the failure modes is that the charge level in the battery is not detected correctly which is caused by a failure in MAX 1660. Another failure mode is that the batteries might not get charged caused by a failure of MAX 712 or MAX 1660 or due to dead batteries. When this happens the device cannot work without the external power supply. The above two failure modes are critically low. But the final mode of failure is critically high which has a potential for causing injury to the user. Sometimes a failure in the MAX 712 or MAX 1660 may cause overcharge in batteries leading to leakage or explosion in the batteries which is dangerous. It not only causes damage to the user but also to all other components of the device.
4.0 Summary
The main functional blocks of the ‘Touch 2 Order’ are the power supply circuit, microcontroller and the battery charging circuit. A component from each of the main functional blocks was selected; their failure rates and the mean time to failure were calculated. Assumptions taken to calculate those values and considerations and modifications that may improve the reliability are given in detail in the report. The failure modes, causes for the failure, effects and criticality level are well discussed. Although almost all the failure modes were critically low, there were a couple of high criticality failures detected that could potentially cause injuries to the user such as the leakage or explosion of batteries.
List of References
[1] Military Handbook, Reliability Prediction of Electronic Equipment, Department of Defense, 2 January 1990.
http://cobweb.ecn.purdue.edu/~dsml/ece477/Homework/CommonRefs/Mil-Hdbk-217F.pdf
[2] Freescale 16-bit Microcontroller Data sheet
http://www.freescale.com/files/microcontrollers/doc/data_sheet/MC9S12E128V1.pdf?fpsp=1
[3] DC-DC voltage regulator MAX 1651 Data sheet
http://cobweb.ecn.purdue.edu/~477grp13/docs/max1649-max1651.pdf
[4] Battery Fuel Gauge MAX 1660 Data sheet
http://cobweb.ecn.purdue.edu/~477grp13/docs/max1660.pdf
-2-
ECE 477 Digital Systems Senior Design Project Spring 2008
Appendix A: Schematic Functional Blocks
Figure A-1 Power Supply Schematic
Figure A-2 Microcontroller Schematic
Figure A-3 Battery Charger Schematic
Figure A-4 Battery Monitor Schematic
Appendix B: FEMCA Worksheet
A1 / Output = 0V / Caused by a failure of any component within functional block or external short / Total Device Failure / Observation / Low
A2 / Output > 3.3 V / Failure of a MAX 1651 / Potential damage to XBee Pro, Microcontroller / Observation / Low
A3 / Output > 5V / Failure of MAX 1649 / Potential damage to RFID reader / Observation / Low
A4 / Output out of tolerance / Failure of MAX 1649, 1651 or passive components such as capacitors / Out of spec operating voltage; unpredictable / Observation / High
Table B-1 FEMCA Worksheet for Power Supply Circuit
Failure No. / Failure Mode / Possible Cause / Failure Effects / Method of Detection / Criticality / RemarksB1 / Data not retrieved from RFID reader / Failure of microcontroller or error in software / Data cannot be sent to the micro from the RFID reader / Observation / Low
B2 / Blank LCD screen / Failure of microcontroller or error in software / Data cannot be sent to the LCD screen / Observation / Low
B3 / No connection with the kitchen server / Failure of microcontroller or error in software / Communication error with the server / Observation / Low
Table B-2 FMECA Worksheet for Microcontroller
Failure No. / Failure Mode / Possible Cause / Failure Effects / Method of Detection / Criticality / RemarksC1 / Battery Level not detected correctly / Failure of MAX 1660 / Error in detecting the charge level of batteries / Observation / Low
C2 / Batteries not charging / Failure of MAX 712 and MAX 1660 or dead batteries / Device would not work without external power supply / Observation / Low
C3 / Batteries excessively charged / Failure of MAX 712 or MAX 1660 / Batteries may leak or explode / Observation / High / Sometimes may cause damage to other components
Table B-3 FMECA Worksheet for Battery Circuit
-13-