From Prototype to Production: What You Need to Know, Part 1

PART 1: DON’T MAKE THIS FATAL MISTAKE

Low-cost electronics modules and “how-to” design guides for hobbyists have made it easy to pop together working prototypes. That’s fine for hobbyists, but if you are planning on selling your creation to the masses, you need to be sure you understanding the following:

There is a HUGE difference between
a prototype and a production-ready design

If your prototype design was generated by experienced senior engineers, then they are likely to be aware of the many additional challenges that must be overcome in moving that design into production.

However, if your prototype design was based on cut/paste “reference designs,” pre-packaged modules, or hobbyist schematics, then you may not even be aware that there is a difficult path forward. In fact, you may make this fatal assumption: The prototype works, therefore let’s build a million of them and get rich!

Unfortunately, that fatal assumption will probably not lead you to wealth, but instead will create excruciating anxiety as you watch your new product crash when it exhibits one or more of the following problems:

• intermittent performance
• inexplicable shutdowns
• excessive power drain (e.g. frequent battery replacement or recharging)
• errors or even total failure due to normal variations in power source or environmental factors such as temperature and humidity
• failure to properly operate over the device’s warranty period
• overheating
• breakage when being normally shipped and handled
• customer frustration due to a poor user interface
• errors when operating near other electronic devices
• other electronic devices malfunctioning when near your device
• failure due to common levels of electrostatic discharge

and this biggie:

• customer injury or death

In future newsletters we’ll provide some tips on how to minimize the risks listed above. In the meantime, if you think that you need some guidance in moving from prototype to production, please contact me. We enjoy helping startup firms achieve their dreams.

-Ed Walker

Advertisements

Baloney Alert Special Report: Derating Guidelines

DACI Newsletter Classics
Valuable lessons from our 1st Qtr 2006 Newsletter

Many engineering departments don’t allow design engineers to operate parts anywhere near specification limits. This policy is spelled out in a Derating Guidelines document that mandates greatly reduced stress levels. For example, a typical derating for resistor power is 50%, which means that the design engineer can’t apply more than 1/4W to a 1/2W resistor. This Special Report asks the simple question: Why not?

Why Can’t Designers Use Maximum Ratings?

Is it because design managers are paranoid? Have they found that when a vendor claims a resistor will work to 1/2W that the resistor will only work to 1/4W? Or how about semiconductor junction temperatures? A typical power diode for example might be rated at 150C, but the designer often must adhere to a derating rule that prohibits a junction temperature greater than 90C. Does this mean that design managers consider power diode vendors to be just as untrustworthy as resistor vendors?

Or could it be that design managers don’t have faith in their design engineers? Are derating factors just a tactful way of applying fudge factors to account for the math errors made by those lazy and sloppy designers?

Although the above hypotheses may be applicable for a few managers, most often the stated rationale for deratings is “improved reliability.”

But do derating guidelines actually deliver this benefit? Please read on.

Costly Overdesign due to Excessive Caution

First let’s assume that vendors provide components that, the great majority of the time, will meet their specifications. (If not, in our efficient capitalist system they would be justly faced with lawsuits and loss of business and bankruptcy.)

Next, let’s assume that design engineers do a pretty good job in predicting worst case application stresses, taking into consideration the effects of tolerances, including aging. (If not they would rapidly be seeking employment in other fields.)

What about transient conditions? Again, competent design engineers will consider peak transient stresses as well as steady-state stresses, and select components accordingly. Or more likely, they will include clamps and filters and other forms of protection to ensure that maximum transient stresses are safely limited.

Okay, what’s left? Not much, other than uncertainties in the analytical models. But such uncertainties are minimized by a comparison of predicted results to prototype test results (a step that all good design engineers insist on).

So here’s the question: How much smaller than unity does a stress ratio need to be to account for such small remaining uncertainties?

A Typical Real World Example

For example, consider a resistor that has a predicted maximum power dissipation of 0.7W and a rating of 1W. Its stress ratio SR is

SR = Predicted / Rated = 0.7 / 1 = 0.7

With worst case tolerances and transients and testing considered, the designer — applying judgment based on experience — believes that a 10% uncertainty is ample, and that the maximum allowable SR should be 0.9. Therefore the designer is pleased with a ratio of 0.7. Plus, the designer knows that the 0.7 maximum is out in the tail of the distribution and that on average the stress will be much lower.

But the designer checks the department’s sacred Derating Guidelines and finds that the allowable stress ratio is only 0.5. Will the designer have a good laugh and leave the design alone and move on to more important tasks? Of course not!

Faced with an upcoming Design Review where some junior reliability engineer would gleefully jump all over this supposedly egregious violation of good design practice, the designer will avoid such embarrassment and spend extra time updating the design to a 2W resistor. Although this will make the design larger/heavier and more costly, with no measurable improvement in quality or reliability, the Derating Gods must not be offended.

Derating Cookbooks Can Cause Design Poisoning

Using a Derating Guidelines cookbook that was developed without support of science-based reasoning can easily result in design poisoning. For example, arbitrary temperature deratings can result in the use of much heavier heat sinks than are really necessary, and such added weight is almost universally a bad thing in a product. The useless extra weight not only takes up valuable space and costs more, but it requires more energy to transport (a particularly unfortunate result for fuel-sensitive aircraft applications). Worse, if the mandated derating forces the designer to shift from simple convection cooling to the use of fans or a liquid cooling pump, then overall reliability will very likely be significantly reduced.

Another major problem with the cookbook approach is that it discourages thinking. An engineering cookbook by definition is supposed to be a tried and true collection of guidelines and rules to assist the designer. Therefore the designer is discouraged from thinking about the aspects of the design that are covered by the cookbook. In theory this is not too bad if the cookbook is regularly updated using a science-based review process.

But has anyone ever read any science-based report that supports the typical cobweb-encrusted Derating Guidelines document [1] used by many engineering firms? And if by chance such a report is stumbled upon in the engineering department’s dusty attic, has it been updated to keep pace with technology?

---

Note 1: Subtitle: “This is the way grandpa did it and by God this is the way we’re going to do it!”

---

Oversimplification Misses Key Concerns

Returning to our resistor power example, savvy designers know that resistor power is really an approximate proxy for resistor temperature. For low-wattage resistor applications this is reasonable because resistor temperature rise is negligible. But as resistor dissipation increases, particularly with today’s ever-shrinking packages, resistor temperature can become a serious concern. One does not want a resistor to desolder itself from the PWA, even if the resistor is operated within its allowable stress derating. But do the derating guidelines for your department address resistor temperatures? Or temperature-related solder degradation issues?

A similar point can be made for capacitor ripple currents, which are also approximate proxies for capacitor core temperatures. Do your derating guidelines mention capacitor core temperatures?

And whereas decades ago the effects of electromigration due to integrated circuit current densities were a valid concern (which may have justified an associated temperature derating), advances in processes over the years have made such deratings obsolete — almost. Today there is renewed concern with electromigration due to advanced miniaturization.

So, like Dad’s old suspenders that were out of fashion for thirty years and then came back into vogue, our old neglected Derating Guidelines might just be partially right every few decades, if only by accident.

Question Authority

The hallmark of science is testability. If someone makes an assertion they are obligated to prove the assertion in a manner that can be replicated by independent observers. If you suspect that your engineering department’s deratings policy is archaic, why not challenge it? Ask the powers-that-be to defend the policy with objective evidence. If they can’t provide such evidence then it’s time for a change.

By helping modernize your deratings policy you can save your company time and money, plus simultaneously improve product reliability — an impressive outcome.

-Ed Walker

Malaysian Flight 370: Lithium Battery Fire Is A Reasonable Hypothesis

The cargo fire hypothesized by Canadian pilot Chris Goodfellow to explain the disappearance of Malaysian Flight 370 (see “Malaysian Flight 370: Canadian pilot’s analysis goes viral“) is a reasonable one.

According to Malaysian officials, the plane was carrying 440 pounds of lithium batteries. Lithium batteries, sitting inert (not being charged or discharged), were identified as the cause of the fire and resultant 2010 crash of a UPS 747 flight at Dubai. Ironically, even though “improper storage” in that case was determined to be the cause of the fire, I have never read any explanation of how improper storage can ignite a lithium battery. It appears more likely that lithium batteries, under certain conditions not completely understood (e.g. a combination of battery construction and chemistry, heat, vibration, and/or shock) can spontaneously ignite, albeit very rarely.

In addition to pilot Goodfellow’s comments, an added interesting point is that Flight 370 also gained very high altitude shortly after communications ceased. It could be that the pilots, upon becoming aware of the fire at that time, tried to quickly elevate the plane to quell the fire by starving it of oxygen. This might have been an excellent maneuver for most fires, but lithium batteries, once ignited, create their own oxygen and will continue to burn at high altitude.

Bottom Line: Until the cause of the disappearance of Flight 370 is positively determined, the possibility of a lithium battery fire is a reasonable hypothesis, and worth investigating.

-Ed Walker

 

Boeing’s Flaming Battery Fix: Time to Slow Down?

Just a quick note for those following this fascinating story.

Michael Sinnett, Boeing’s chief project engineer, said in a recent briefing that “Boeing is redesigning its batteries to ensure a fire isn’t possible. Among the new features will be a fire-resistant stainless steel case that will prevent oxygen from reaching the cells so fire can’t erupt.” (from “NTSB Contradicts Boeing Claim of No Fire in 787 Battery,” by Alan Levin , 15 Mar 2013 Bloomberg).

The problem with that statement is that once a lithium battery is heated sufficiently, it releases its own oxygen to fuel continued burning/explosion. That’s why lithium fires are extremely difficult to extinguish, and why an outer case, although it may keep a fire from spreading, will not prevent a fire from erupting.

-Ed Walker

Boeing’s Flaming Lithium Batteries: Was This A Risk Worth Taking?

In DACI’s 1st Quarter 2012 newsletter I predicted that a catastrophic safety event would eventually occur due to lithium batteries (please see “Li-Ion Battery Pack Hazards and our Psychic Prediction“). The recent fires in the initial flights of the new Boeing Dreamliner have come close to fulfilling that prophecy.

From “Detecting Lithium-Ion Cell Internal Faults In Real Time” (Celina Mikolajczak, John Harmon, Kevin White, Quinn Horn, and Ming Wu, in the Mar 1, 2010 issue of Power Electronics Technology) it is known that internal cell faults in lithium batteries can lead to thermal runaway, subsequently resulting in fires and/or explosions. Therefore the question arises: do the Boeing lithium batteries have an advanced internal construction that prevents cell faults, or mitigates thermal runaway in the event of a fault? If not, the Boeing team or vendor responsible for the battery system design is in big, big, trouble.

Although deficiencies in basic battery chemistry and/or construction appear to offer the best root cause hypothesis for the fires, there are also other possible factors. For example, it has been reported that perhaps the charging system malfunctioned, causing the batteries to overheat. However, a properly designed charger for an aircraft application would have fail-safe protection, preventing an overcharge. Plus, it was also reported that charging sensors did not detect an overvoltage. Although these factors sound reassuring, they are not sufficient to eliminate the charger from consideration. For example, one can hypothesize a charging waveform that contains spurious high frequency oscillations that create high rms charging currents. This would not necessarily result in overvoltage, but could result in overheating.

It is also possible that battery “cell defects” are nothing more than cell imbalances that vary according to production tolerances. In other words, the lithium battery, by its very nature, tends towards thermal runaway unless the internal cells are very tightly matched. This sensitivity would become more pronounced with a higher number of cells and higher mass, which would explain why no explosions have occurred in  small button-style batteries, but do occur in the larger batteries.

There are other scenarios, including the thorny possibility that some combination of conditions conspired to create the failure. And, of course, the root cause may be highly intermittent, making detection extremely difficult. Such hypotheses are undoubtedly being examined by the Boing engineers. I wish them well, and hope that they are allowed to perform their work calmly, methodically, and thoroughly.

Note: Because it may take quite a long time to conclusively establish a root cause, I would suggest that Boeing immediately begin planning to retrofit the lithium system with one containing battery types that have not shown the proclivity to explode; e.g. nickel metal-hydride, or sealed lead acid gel. Heavier, yes, but in this case safety and the economic timeline indicate that it would be wise to be prepared with a retrofit design.

(For some brief guidelines on design failure crisis management, please see Scenario #6: “Coping with Design Panic,” in The Design Analysis Handbook, Appendix A, “How to Survive an Engineering Project.”

-Ed Walker

Reliability Prediction or Magic 8 Ball? You Decide

Many years ago I was contacted by someone who worked for a very large defense contractor. The gentleman (Mr. X) had the responsibility for helping ensure that the electronics modules used by his company met stringent reliability requirements, one of which was a minimum allowable Mean Time Between Failures (MTBF). He had read one of our DACI newsletters that mentioned such reliability predictions, and gave me a call.

“My problem,” he said (I paraphrase), “is that MTBF predictions per Military Handbook 217 don’t make any sense.” He subsequently provided detailed backup studies, including a data collection — using real fielded hardware — that showed the predicted times to failure for the hardware did not match the field experience. The predicted numbers were not just too low (as some folks claim for MIL-HDBK-217), they were also too high, or sometimes about right. In other words, they were pretty random, indicating that MIL-HDBK-217 had no more predictive value than you would get by using a Magic 8 Ball.

But that’s not all. “These reliability predictions,” he continued, “are worse than useless, because engineering managers are cramming in heavy heat sinks, or using other cooling techniques, to drive down the MTBF numbers. The result is a potential decrease of overall system reliability, as well as increased weight and cost, based on this MTBF nonsense.”

Until I heard from Mr. X, I had prepared numerous MTBF reports using MIL-HDBK-217, assuming (what a horrible word, I’ve learned) that the methodology was science-based. After reviewing the data, however, I agreed with Mr. X that MTBFs were indeed nonsense, and said so in the DACI newsletter. This sparked a minor controversy, including being threatened by a representative of a reliability firm (one that did a lot of business with the government) that DACI would be “out of business” because of our stance on the issue.

Well, DACI survived. Today, though, and sadly, my impression is that lots of folks still use MIL-HDBK-217-type cookbook calculations for MTBFs, which are essentially a waste of money, other than the important side benefit (that has nothing to do with MTBF predictions) of examining components for potential overstress. But that task can be done as part of a good WCA, skipping all of the costly and misleading MTBF pseudoscience.

Instead of trying to predict reliability, it’s better to ensure reliability by employing “physics of failure,” the scientific process of studying the chemistry, mechanics, and physics of specific materials and assemblies.

Bottom line: Skip the handbook-style MTBF nonsense, and use those dollars instead to keep abreast of materials science, as applicable to your specific products. (If for some reason you absolutely must prepare an MTBF report, use a Magic 8 Ball: it will be much quicker and just as accurate.)

p.s. Prior to my education by Mr. X, I had been deeply involved with the electronics design for a very ambitious spacecraft project. Thinking MTBF to be an important metric, I asked the project manager what the preliminary MTBF was for the system. He smiled and asked me to meet him privately.

Later, alone in his office, I was furtively told that the MTBF calculations indicated that the system was doomed to failure, so it had been decreed that the project was not going to use MTBFs. The rationale was that each system component would be examined on a case-by-case basis to ensure that its materials and assembly were suitable for its intended task. In essence, this can be viewed as an early example of the physics of failure approach. And yes, the mission was a complete success.

-Ed Walker

1st Qtr 2012

(c) 2012 Design/Analysis Consultants, Inc.
Newsletter content may be copied in whole or part if attribution
to DACI and any referenced source is prominently displayed with the copied material

This Issue: NEWS BITE: Creepy Swarming Electronic Insects Are Real! / GOVERNMENT FOOLISHNESS and Incandescent Bulbs / WORST CASE ANALYSIS and the Fukushima Nuclear Plant Meltdown / RISK ASSESSMENT and Lithium Battery Explosions / ANALYSIS QUIZ: Answer To Last Quarter’s Question / DESIGN MASTER 8.2 UPGRADE if you’ve had troubling generating WCA reports on a Win7 PC

NEWS BITE: Creepy Swarming Electronic Insects Are Real!

.
GOVERNMENT FOOLISHNESS: Incandescent Bulbs Banned? No Problem, Just Buy A Heat Ball
.
.

From “Upset about Big Brother’s Ban on Incandescent Bulbs? Buy a Heatball!”
by Selwyn Duke in the 30 Dec 2011 issue of American Thinker

For earlier Newsletter comments on the absurdity of banning incandescent bulbs, please see “Unintended Consequences: Nanny Engineering” in the 2nd Qtr 2011 issue.

WORST CASE ANALYSIS: What We Learned From Fukushima – Again

“Japan is not a technically backward country  … Its nuclear power plants were designed and built with an acute consciousness of extreme earthquake dangers.

“So how is it, despite that sophistication, awareness, and preparedness, that the Fukushima crisis has nonetheless exceeded worst-case thinking? Here, the story is reminiscent of Three Mile Island and Chernobyl, and the message seems to be the same: Worst-case scenario builders consistently underestimate the statistical probability of separate bad things happening simultaneously, as the result of the same underlying causes.“ [Emphasis added]
“Japan Nuclear Accident Worse Than Worst, Again” by Bill Sweet, 12 Mar 2011, Energywise
Image: http://www.digitalglobe.com

RISK ASSESSMENT: Li-Ion Battery Pack Hazards and our Psychic Prediction

“Internal cell faults continue to lead to thermal runaway failures in Li-Ion battery packs used in the field. Though these events are rare, the proliferation of Li-ion-powered consumer electronics has increased the risk for an event occurring on an aircraft, or at a similarly inauspicious location or time … At present there is no [battery] pack-protection circuitry in commercial use that is designed to continuously monitor the cells for the symptoms of a latent incipient internal cell fault before such a fault causes thermal runaway.”
“Detecting Lithium-Ion Cell Internal Faults In Real Time” by Celina Mikolajczak, John Harmon, Kevin White, Quinn Horn, and Ming Wu, in the Mar 1, 2010 issue of Power Electronics Technology

Even though there have been several fires and a few folks have been injured or killed due to exploding lithium batteries, we predict that the risk will be tolerated until a catastrophic explosion occurs. This will be  followed by the usual screaming headlines belatedly warning of the dangers, hind-sight experts suddenly popping up on TV, hand-wringing congressional investigations, and finally, heavy-handed and grossly over-reactive governmental regulatory responses.

ANALYSIS QUIZ (Answer from Last Issue): Adjustable 3-Terminal Regulator Output Tolerance

.
An LM317T regulator with 36V input is set for 24V nominal output, using 1/8W 1% 100ppm thick film resistors (10K and 549 ohms). The regulator must deliver 1A and operate from 0 to 50 C for 10,000 hours.

Q: What will be the approximate worst case output tolerance?

-2/+2%        -4/+5%         -7/+6%         -6/+11%         -9/+15%

A: -9/+15%

Surprised? You might be if you only consider initial tolerances, and don’t factor in the effects of temperature and aging. Here are the normalized sensitivities, which gives one a better sense of the significant error contributors:

DESIGN MASTER™ 8.2 UPDATE: WCA Report Generator Bug Corrected

To facilitate the efficient creation of professional worst case analysis reports, Design Master includes an automated Word document report generator, based on Microsoft Office automation technology. We’ve recently had a few Win7 users notify us that the report function is not operable on their systems. Although Design Master has been tested on other Win7 systems with no problems, variations in Win7 system speed appear to prevent the report generator from functioning properly in some cases. Design Master Rev 8.2 allows more tolerance for speed variances, which has corrected the reported issues.

Metal Oxide Varistor (MOV) DMX Analysis File Released

Metal Oxide Varistor (MOV) DMX Worst Case Analysis File
MOV1 $12.50

(DMX files are available free to Design Master™ Professional Edition users who purchased or upgraded DM not more than one year prior to the DMX file release date.)

The MOV analysis determines whether a Metal Oxide Varistor transient voltage suppressor will (a) survive a specified surge voltage or current, (b) clamp the surge below a specified voltage limit, (c) not clamp the normal operating voltage, and (d) survive a specified number of surges. MOVS are typically rated with 8x20us current waveforms, and (just to be confusing) 10x1000us energy waveforms. MOVs also have a lifetime (number of allowable surges) that depends on peak current, pulse width, and temperature. To complicate things further, MOV clamping voltages are a nonlinear function of surge current. To help make the design engineer’s job a little easier, this analysis contains adjustment formulas for all of these factors. Also provides standard surge waveform requirements and helpful hints.

DMeXpert™ (DMX) files guide the user with pop-up instructions, component selection lists, standard part values, important formulas, and a variety of other tips that are activated when entering a Formula cell. It’s like having a design/analysis expert at your side.

Transient Voltage Suppressor (TVS) DMX Analysis File Released

Transient Voltage Suppressor (TVS) with Optional Steering Diode DMX Worst Case Analysis File
TVS1 $12.50.

(DMX files are available free to Design Master™ Professional Edition users who purchased or upgraded DM not more than one year prior to the DMX file release date.)

The Transient Voltage Suppressor analysis determines whether a TVS avalanche diode and optional steering diode will (a) survive a specified surge voltage or current, (b) clamp the surge below a specified voltage limit, and (c) not clamp the normal operating voltage. Good for any TVS diode and steering diode; just fill in the blanks using data sheet values, and get an answer in a few seconds. TVS diodes are typically rated with 10x1000us current waveforms. Steering diodes are typically rated with line frequency half-sine current waveforms. When the applied surge has a different waveform, however, the TVS and steering diode ratings must be adjusted accordingly. In addition, the ratings must also be adjusted for pulse width and temperature. To help make the design engineer’s job a little easier, this analysis contains adjustment formulas for all of these factors. Also provides standard surge waveform requirements and helpful hints.

DMeXpert™ (DMX) files guide the user with pop-up instructions, component selection lists, standard part values, important formulas, and a variety of other tips that are activated when entering a Formula cell. It’s like having a design/analysis expert at your side.

AC Full Wave Bridge Rectifier DMX Analysis File Released

AC Bridge Rectifier DMX Worst Case Analysis File
ACBR1 $19

(DMX files are available free to Design Master™ Professional Edition users who purchased or upgraded DM not more than one year prior to the DMX file release date.)

This updated and easy-to-use analysis provides all of the key waveforms, voltages, and currents for the AC full wave bridge rectifier circuit, including the effects of source ohms. Output includes average input amps, rms input amps, input watts, Rs watts, capacitor rms amps, average load volts, average load amps, and output watts.

Capacitor Current

DMeXpert™ (DMX) files guide the user with pop-up instructions, component selection lists, standard part values, important formulas, and a variety of other tips that are activated when entering a Formula cell. It’s like having a design/analysis expert at your side.