Those that are following the creator’s collection of articles would have seen the design of the cost controller within the earlier article. In that article, the design of the cost controller is a totally purposeful one, however it lacks security options. Let’s perceive product threat evaluation. product mustn’t solely perform correctly however have to be sturdy. A well-designed product will settle for a certain quantity of abuse and can proceed to carry out properly. Such fault-tolerant merchandise are beloved by the shoppers.
Any product will face variations from the design circumstances throughout manufacture and use. Usually designers specify the tolerance limits of the design parameters, however a product design must be checked for correct efficiency with the worst-case situation of the method variations.
Aside from the designed tolerances, the product could also be utilized in a unique method than the designer had deliberate. A sturdy product will anticipate these unintended makes use of and supply options for such makes use of. The product also needs to have security options to forestall injury or reduce injury because of any unplanned utilization.
We should recognize that our effort to make the product sturdy comes at a price. Usually, such a change will add to the associated fee, weight, and doubtless dimension of the product. Prospects don’t wish to pay further for issues that aren’t instantly delivering worth. design turns into an artwork of compromise on price versus high quality.
We have to perceive the consequences of varied dangers and prioritize our price range. We have to perceive which failures are necessary and which may be ignored. The systematic analysis of such threat and its impact known as failure mode impact evaluation (FMEA).
FMEA (Failure Modes and Results Evaluation)
A number of issues can go mistaken with a product. Our evaluation begins with figuring out what can go mistaken with the product. There may be numerous methods to establish these doable failure modes.
My favourite choice is to sit down along with the event staff and look at every of the subsystems to search out issues that may go mistaken. As soon as the staff has listed all that may go mistaken in every of the subsystems, we begin analyzing issues that may go mistaken with interactions of the subsystems.
One ought to notice that each one issues are usually not equally necessary. Occasions that may trigger life threat or large monetary loss must be given greater precedence than an issue that can trigger minor irritation. Equally, issues which are very prone to occur have to be addressed with greater precedence than an issue that has a really uncommon probability of occurring. Defects which are troublesome to establish have to be given greater precedence than defects which are simple to establish.
As soon as we listing the doable points, we have to perceive their results, the chance of such occasions occurring, and the issue in detecting the problems. For every of the influence, chance, and detection we assign a subjective quantity in line with the size given in Desk 1. Multiplication of those three numbers provides us the chance precedence quantity (RPN).
| Desk 1: SEVERITY OF RISK FACTORS | ||||
| Threat | Weight | Severity | Occurance | Detection |
| Very Excessive | 10 | Ends in non-compliance to authorities rules, endanger life or machine | Nearly sure failure | This failure won’t be detected |
| 9 | Well-known historical past of failure from related state of affairs | Very troublesome to detect | ||
| Excessive | 8 | Excessive diploma of buyer dissatisfaction. Causes downside in related machines | Controls have poor probability of detecting this failure mode | |
| 7 | Will fail often because of this downside | |||
| Average | 6 | Buyer dissatisfaction. Unscheduled restore. Harm to tools. | Controls could detect the failure | |
| 5 | Remoted case of failure from related causes | |||
| 4 | Controls robotically detect this failure | |||
| Low | 3 | Will trigger deterioration of efficiency and minor inconvenience | ||
| 2 | Very uncommon probability of failure occurring | Controls robotically detect this failure and take preventive motion | ||
| Minor | 1 | Incidence | Failure unlikely from this downside | |
Varieties of Threat
Product dangers may be of a technical nature, they are often financial, or they are often associated to the provision chain. Design deficiency, modifications in enter circumstances, environmental elements, and the standard of enter supplies are technical dangers.
A few of the technical dangers can result in accidents, the place the influence can lengthen past the appliance space of the product. Because of this, technical dangers have to be given greater precedence within the evaluation.
Financial dangers trigger a lack of profitability or could trigger greater working prices. In each circumstances, the enterprise viability of the product suffers. Typical causes for financial dangers are worth escalation, unplanned working expenditure, or poor high quality of provide. In some circumstances, frequent breakdowns because of technical faults may end in financial threat.
The third sort of threat arises from supply-chain points. Relying on unreliable distributors, inadequate product quantity, or product complexities usually end result within the suppliers not supplying the fabric. Provide-chain dangers could name for pricey options, redesign of the product, or trigger closure of its manufacturing. Identical to the product design, one needs to be cautious with vendor growth or work with normal simply out there uncooked supplies.
As a common guideline, any threat with an RPN quantity greater than 400 just isn’t acceptable. Such dangers must be decreased by redesigning or by including protecting measures. One could ignore the dangers with an RPN worth of lower than 120 and concentrate on decreasing different higher-priority dangers. Dangers with RPN values under 240 are considerably tolerable.
Dangers with RPN between 240 and 400 must be decreased. Such dangers must be accepted solely when the design staff can not provide you with any possible measure to scale back the chance.
Threat Mitigation Approaches
Threat mitigation may be finished by numerous means. The goal of all of the means is to scale back the RPN worth. One of the best ways for threat discount is to both remove it or cut back the possibility of it occurring. This may be achieved by including some security margin within the design, by offering parallel sub-systems, or by offering an auxiliary system that robotically takes over within the occasion of failure of the principle system.
Along with threat prevention measures, we will attempt to cut back the influence of the chance. We’re all accustomed to the fuse or circuit breakers in our home electrical wiring. These fuses cease the electrical provide in case of any excessive present movement and forestall overheating and fireplace dangers in the home. In product design additionally, we regularly present a ‘fuse.’ These are intentional weak factors within the design that break down throughout any unplanned state of affairs and forestall additional injury to the system.
One should do not forget that fuse is a disruptive answer. An excessive amount of use of fuses just isn’t good. So far as doable, one ought to use different revolutionary approaches to scale back injury and use a fuse solely because the final resort.
Alarms and warnings are notifications for human intervention throughout emergency circumstances. Such gadgets enhance the detection of faults. When the product just isn’t in a position to deal with sure unnatural circumstances, it can provide a warning to the person to take some motion. One should keep in mind the significance of the signifier that we mentioned in our first article.
Alarms and warnings should give clear info on what the person ought to do to cope with the emergency. The management panel or the interface must be suitably designed to remove any ambiguity between the warning and the specified motion.
Product Threat Evaluation – Instance
Allow us to look at our cost controller for numerous kinds of dangers. The issues can occur because of lacking connections with the exterior components. We will even have conditions of some modules failing. As our manufacturing quantity is anticipated to be small, we even have a threat of a few of the modules being phased out by the respective producer in addition to worth escalation.
On the financial entrance, there generally is a threat of competitors. There may be additionally the chance of low market demand, which can adversely have an effect on the enterprise viability.
As well as, we could get threat from the environmental circumstances. Gusty winds could trigger the wind turbine to generate greater energy and voltage. If these are usually not managed, it could injury the controller in addition to the battery and alternator.
We listing all these dangers in Desk 2 and analyze them for incidence, severity, and detection as we have now mentioned earlier. For the dangers with greater RPN numbers, we plan measures to scale back the chance. The mitigation measures are additionally listed in the identical desk. As soon as we have now decreased all threat RPN values to an appropriate restrict, we will finalize our design.
| Desk 2: RISK FACTORS IN THE TURBINE CONTROLLER DESIGN AND THEIR MITIGATION | |||||||
| Recognized Threat | Kind | Severiety | No battery related, Ineffective CPU, and free operating of wind turbine | Detection | RPN | Mitigation Measure | New RPN |
| Lifeless battery, CPU won’t work | Tech | 7 | 6 | 10 | 420 | Present alternate energy supply from wind turbine | 70 |
| No battery related, Ineffective CPU and free operating of wind turbine | Tech | 9 | 3 | 10 | 270 | Present alternate energy supply and connect with dummy when battery just isn’t detected | 30 |
| Dummy load disconnected will trigger free operating of turbine | Tech | 8 | 3 | 6 | 144 | In absence of dummy load, activate break circuit | 54 |
| Brief circuit in battery | Tech | 9 | 3 | 5 | 135 | Isolate battery and divert energy to dummy load | 75 |
| Brief circuit in dummy load | Tech | 8 | 3 | 5 | 120 | Isolate dummy load and activate break circuit | 75 |
| Robust wind leading to excessive voltage | Tech | 6 | 6 | 5 | 180 | When turbine pace crosses a set thresold, activate brake circuit | 45 |
| Brief circuit in each battery and dummy load | Tech | 9 | 1 | 5 | 45 | No motion required | 45 |
| Energy controller relay failure | Tech | 9 | 3 | 9 | 243 | By default connect with dummy load. Take a look at correct operation at common interval | 48 |
| Free connection in energy cables will overheat and burn terminals | Tech | 6 | 6 | 6 | 216 | Isolate terminals from primary controller and put a overheating sensor | 36 |
| CPU failure | Tech | 9 | 3 | 10 | 270 | Present a hooter with delay. Reset hooter timer by CPU | 81 |
| ADC failure | Tech | 3 | 2 | 7 | 42 | No motion required | 42 |
| Wi-Fi connection failure | Tech | 4 | 5 | 8 | 160 | Present examine in server to boost notification within the occasion of lengthy reporting delay | 80 |
| Shortage of NodeMCU module | Sup | 8 | 3 | 3 | 72 | No motion required | 72 |
| Shortage of ADC multiplexer | Sup | 8 | 2 | 3 | 48 | No motion required | 48 |
| Shortage of relay | Sup | 8 | 1 | 3 | 24 | No motion required | 24 |
| Value escalation of elements | Eco | 3 | 7 | 3 | 63 | No motion required | 63 |
| Competitors from different producers | Eco | 3 | 5 | 3 | 45 | No motion required | 45 |
| Low demand of small wind generators | Eco | 3 | 4 | 3 | 36 | No motion required | 36 |
| Low demand of good controller | Eco | 3 | 5 | 3 | 45 | No motion required | 45 |
Circuit Design
From the mitigation measures determined, we have to discover the design modifications which are required. A lot of the advisable modifications require implementation in this system logic. On the circuit design, we have to present an influence provide to the controller from each battery and the wind turbine. We additionally want so as to add a hooter that can get activated within the occasion of the controller CPU stopping.
We’ve recognized one of the best choices for submodules and assessed numerous dangers and made our product sturdy. With these inputs, we will now begin making the schematic circuit diagram.
The center of the circuit is the ESP8266-based ESP12F module. This has just one ADC sensor, therefore we use an analog multiplexer 75HC4051 (U3) to learn the battery and wind turbine voltages. Voltages in each of those are greater than the working vary of the microcontroller, therefore we use a voltage divider circuit comprising resistors R9, R10 and R11, R12 to scale back the voltage to the working stage.
The present movement within the energy part is excessive. We use non-contact Corridor impact sensors, U7 and U8, to learn the present flowing from the wind turbine and from the battery. These produce a voltage proportional to the present movement, which is fed to U3.
For security, the facility controller relays shall be saved separate from the principle controller. We use an NTC sensor to sense any overheating within the energy module. In case of any temperature rise, the NTC resistance will drop and the voltage within the junction of R1 and R6 will rise. That is sensed by a easy voltage comparator comprising Q1, Q2, and R2 to set off the overheating indicator LED1. The junction voltage can also be fed to U3 and monitored by the CPU.
The cost controller makes use of an SD card to retailer charging and discharging information. The SD card read-write module makes use of the SPI protocol. ESP12F has 16 GPIO pins however most of those pins are additionally used for inner operations. Not many pins can be utilized safely for management operation.
To protect the pins, we repurpose the SPI communication pins to manage the analog multiplexer. As studying analog alerts and writing values to SD playing cards are mutually unique, this design is secure.
We use GPIO pins 4 and 5 to manage the battery charging and brake relay operation. We use a buzzer to present a warning for CPU malfunction. The buzzer is activated by a 555 timer-based delay circuit.
Below regular conditions, the CPU will reset the delay in its working cycle, which shall be a number of occasions each second. If the 555 just isn’t reset in about 52 seconds, it is going to set off the buzzer to present an audible warning of CPU malfunction.
The elements are powered by each alternator and battery to make sure a dependable energy provide. The provision voltage is round 48V. For our operations, we’d like provide at 3.3V, 5V, and 12V. We use three DC-DC converters to get these voltages effectively.
The addition of security options to detect and forestall critical issues within the design will make the product extra sturdy and enhance its security. In our subsequent article, we will focus on the best way to deal with the impact of unknown variables and the controller logic program.
The creator Soumyanath Chatterjee is a former TVS Motors Chair Professor on the Industrial and Methods Engineering Division, IIT Kharagpur. His experience is in Product Improvement and Provide Chain Administration
