Archive for the ‘Safety Critical’ Category

PCIM 2016 Highlights

Monday, May 30th, 2016

PCIM was big – again

PCIM 2016 Highlights

This year PCIM filled three of the Messe exhibition hall in the Nuremberg.  There were a large number of exhibitors.  This large turnout of exhibitors and the crowds attending shows that power electronics is going well in Europe and the world.  The recent reasonable GDP growth in Europe suggests that the financial crisis of 2008 may finally no longer be a drag on the European economies.

Devices

Always at PCIM there are new and exciting devices launched.  There is always lots of talk of how these devices will solve all the power loss and control problems.  Better devices are always worth having and they add to the toolbox for power electronics engineers.  Typically these new and improved switching devices allow higher power density by reducing losses and increasing the operating temperatures.  As an end in themselves new devices are often a bit of a distraction.  The fundamentals of the power converters job stay the same.  Thermal design to keep the heat out, EM design to keep the noise in and control the converter to be stable and useful.

Gallium Nitride GaN

The GaN story is a good one. It is easy to be cynical about why GaN has appeared in the commercial market after being used extensively in military application for some time. The key issues that were clear in talking to GaN people was that the expected improvement from silicon is not as large as expected or as was initially indicated and that driving the devices is a challenge. As GaN devices are FET type devices with ON resistance they will be limited to lower voltages possibly up to 700VDC to 800VDC.

Gallium Nitride Molecular structure PCIM 2016 Highlights

GaN is touted as the future for semiconductors. Solving the reliability issues may be the most pressing challenge to enable adoption.

Another issue with GaN devices is a perceived low reliability.  This may resolve and my guess is it will as I remember when I first started working with IGBTs in 1990 they too were considered “unreliable.”

Silicon Carbide

Silicon carbide devices are well established and there are lots of switching devices and diodes available.  These devices are being used to move the switching frequency up which is often assumed to be a good thing.  The question that industry veteran Marty Brown so eloquently asks about this is “why go faster?”  Time will tell whether faster switching gives the advantages that it should.

Silicon and stacks

Silicon devices are going from strength to strength. The effort being put into system design with gate drives and cooling is high. It is now possible to buy megawatt converters in cabinets ready for deployment into wind and solar applications. Vendors like Semikron, Danfoss and Infineon are leading the way with smaller vendors like Oztech and Agilestack either following quickly and at times leading.

It is still possible to use discrete devices. When talking with a vendor of an impressive graphite thermal interface material it was clear that they were surprised by the large numbers of TO247 packages being used in high volumes.

Capacitors

The trade off between required capacitor size and the switching frequency of three phase inverters is one of those design iteration choices that defines the physical size of the converter. If the switching is faster then there is less DC side capacitance needed but the switching losses are higher. And as we all switch faster is this optimization is starting to be limited by the inductance of the commutation loop. The available DC bus capacitors are very low inductance and the laminated DC bus bars are also extremely low inductance. There are opportunities to connect the capacitors directly onto the DC bus bars reducing the inductance to a very low value. SBE Capacitors have an excellent solution

Infineon-450V-1000uF-290

Safety Critical Controllers – Functional Safety

The use of safety critical approaches in digital power control is recent. The automotive power electronic people have ISO 26262 requirements for how the gate drives and how the hardware need to behave in a fault. Medical device compliance requirements have long required risk management and safety critical partitioning of the system. Even household appliances have safety critical requirements in their product standards like IEC/EN 60335 and IEC/EN 60730. We have had 60730 code libraries for a number of processors for a while now and have IEC 61508 as the basis for our high reliability controllers. And the work that we do with controllers in equipment covered by the Machinery Safety Directive gives us a good insight into product risk management over the complete product lifecycle.

For a long while, and until recently, there has been little support for safety critical systems in power electronics. Partitioning of the controller is the way to meet the fault detection requirements of safety critical systems was a challenge. With the advent of ISO26262 in the auto industry there is now a demand for safety critical assessment and traceability inside the power converter controller. The use of safety critical techniques has long been useful in power converter control due to the inherent ability of bridge power converters to self-destruct.

There were microprocessors at PCIM which have (or will have) safety critical function as key to their function.  These microprocessors have multiple cores that can implement either dual redundant systems or primary and secondary control to implement the safety critical control. This development is a great acknowledgement that there is need to treat power electronic systems as part of the safety critical development. Often times in the past the digital control in the power converter was not subjected to the same level of review and revision control.  And often the digital control in the power converter can be updated in the field, leading to security issues for the digital power converter controller.

While micros with the partition and the safety critical features are a good step toward this there is probably still risk of hackers compromising the security of network connected safety critical systems. Engineering to avoid a Stuxnet type vulnerability in power converter controllers will be the challenge.

ELMG Control Platform for Safety Critical Systems

The ELMG Digital Power Control Platform allows safety critical partitioning of the FPGA function. The Xilinx isolated design flow ensures that each part of the the system can be separately verified and maintained. ELMG Digital Power experience in digital control for safety critical applications such as medical, household appliances and automotive traction allows safety critical analysis and design to appropriate process and performance standards.

Contact us to discuss your safety critical system.

 

 

Better Embedded System Software

Tuesday, January 12th, 2016
Better Embedded System Software - by Philip Koopman

Better Embedded System Software – by Philip Koopman

I was speaking with a friend about software standards for power electronic converters.  We were talking about how to get better embedded system software. He asked me to look at the book “Better Embedded Systems Design” by Philipp Koopman.  I borrowed a copy a copy from my local engineering library.  It looks good and covers all the areas that are required in software for Power Electronics.  Most of the stuff covered we have in our internal standards or design rules.  There are good section on comments and what they are able to do and what they are not able to do.  At the moment here at ELMG Digital Power our standard is to use minimal comments as we have found that they do not get maintained.

Issues Tracking is a must

The issue tracking chapter in the book is good also.  We use JIRA for issues tracking.  Having issue tracking is a really good sign that code will be OK.

In terms of quality for software we go back to the source Demming for lots of our quality thinking.  It is useful also to have the six sigma stuff around for its mathematical “control of variation” stuff.  I know that some of the young guys that join us find having to learn about Demming either distracting or irrelevant. It always useful to have a basis for quality and Demming’s approach is a great foundation.

And there are standards already

A good grounding in IEC61508 standards is useful too.  Requirements tracking and testing is required in these.  The medical devices software requirements are similar to  IEC61508.  We use the 61508 approach regularly it gives a great basis for safety critical programmable systems.  The ISO 26262 is the motor vehicle industries take on 61508 with wriggle room so they can avoid some of the really expensive requirements.  It is interesting to note that ISO26262 is a very recent standard.

Even household appliances have their own safety critical control standards in IEC60730 which is called out in the household appliances standard IEC60335.   And as household appliances run unattended they are actually really high risk.  I was once told at a functional safety course that there are 30000 washing machine fires  in the EU every year.  I cannot be certain of that number.

Other approaches to software quality include DOD 178 standards for code development and audit.

Another Book worth a looking

Another book that I like is the “Art of Designing Embedded Systems” by Jack Ganssle.  He is far more an engineer made good in embedded software development guy and so is far more – “get your scope out”.  Lots of software guys dislike Jack Ganssle because what he says is outside their competence.  He is a very useful thinker.

Better Embedded System Software – just a dream

In summary the Koopman book “Better Embedded Systems Design” is a really good overview of the things that need to be done to get “good” software.

It seems that mostly people ignore all this software quality stuff in power supplies. And yet with the increasing trend to software control in power electronics better embedded system software is probably what power supply engineers need.

Safety Critical Digital Control – Planes in Fog

Wednesday, December 24th, 2014

Safety critical digital control for airplanes in fog

This article was originally published in 2010.  It is part of the ELMG redux series of articles that will be republished over the summer.  These articles cover subjects in and around digital control of power electronics.

Redux – Safety Critical Digital Control – Planes in Fog

Just before Christmas 2006 I spent sometime (24 hours) in Copenhagen Airport as I waited for my plane after doing a week of meetings in Southern Sweden. I very nearly had a forced stopover in London at Heathrow as London fog shut that airport.  This stranded almost eighty thousand people who could not go on their holidays.

My connecting flight into Heathrow was cancelled due to that very fog in London. As a result I did not ever get to London and so I missed my connection out of London. Luckily for me I was re-routed the next day directly through Hong Kong missing the crowds of delayed passengers at Heathrow.  Thanks to all those that helped me.

Copenhagen Airport

As I waited at Copenhagen I thought about a number of things

  1. The large numbers of people at Heathrow and how their holidays would go? My sympathy to all the people who were delayed in Europe at or around Christmas time.
  2. Why, if an airliner can land itself at LAX in perfectly good weather, can an airliner not land itself in London in the fog? The pilot on my last flight to LA informed the passengers that the plane we were on would land itself at LAX. I cannot verify whether the plane did or did not land itself but we did get down safely.
  3.  What would my pre-school age daughter say if I did not get home for Christmas?

So if the plane can land on a sunny day in LAX why can it not land in the fog at London?

The guidance system on an airliner is an safety critical digital control system. It takes inputs from various guidance sensors (like GPS and inertial guidance) and produces outputs for the control surfaces like the elevators and ailerons. As such it will be a mixture of hardware and firmware  software. The program code is most probably written in a safety critical digital control useful language (not C) such as ADA. The method to write the software is (hopefully) well defined and the code is well inspected and walked through. The guidance system is then certified along with the aircraft by the FAA and other suitable safety authorities.

A Sunny Day in LA.

So let me say that again – on a good sunny day in LA my pilot can let the machine land itself but in London my plane cannot land because of the fog. I thought about why this was and even asked a friend. He said that it was “All because of the labour unions” which I hadn’t even considered. I decided that it may well be something else. Labour unions may have something to do with it but I don’t have time to write about that.

Critical Failure Modes Analysis

Consider the failure mode of the plane landing in Heathrow in the fog. If something goes wrong with the part of the guidance/landing system that takes care of height, then the airliner hits hard into the runway and makes a mess. Consider the same failure mode in the good weather at LAX. The plane is at the wrong height and would dive into the runway. Instead the over riding backup system looks out the window and takes control of the plane.

Safety Critical Digital Control on a plane needs a Pilot

So here is the skinny – it is OK for the plane to land itself so long as the backup override system is working. This backup is the pilot and so long as she isn’t struck down by food poisoning and she can see the runway she will not let the plane crash.

I am glad my flight to London was cancelled.

There have been incidents where the pilot has attempted to stop the plane crashing but the embedded systems in the plane have refused to help out. That, though, is something for another time.

Since this article was written safety of airliners and their safety critical digital control systems has come into sharp focus. Apologies and condolences to all and everyone who have been touched by the failings of digital control systems in the airline industry.