Upload
evelyn-williamson
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Application of accelerometers
This is the BrainPort ™ Also used for helping visually impaired people to
see, and overcoming other sensory problems
ES050 – Introductory Engineering Design and Innovation Studio
Prof. Ken McIsaac
Design Failures in EE, CE and SE
Outline for today
Therac-25 Radiation Machine DC-10 airframe Household wiring Safety codes Discussion
Therac - 25
Therac – 25 was a medical device, intended to provide therapeutic radiation
Developed by AECL (Atomic Energy of Canada, Ltd.)
Therac – 25 Operation
Two modes of operation: X-ray mode and Electron Beam mode
Electron beam controlled by magnets X-ray mode generated by high energy (25
MeV electron beam) through “flattener”
Therac-25 Operation (cont.)
Picture from “Medical Devices: Therac 25” by Nancy Leveson, U. of Washington
Therac – 25 Fault assessment
Programming errors have been reduced by extensive testing
Software quality does not degrade over time
Minute (10-9) probabilities of random computer events
Conclusion: Software is safe
Therac – 25 User Interface
Operators entered information at a keyboard
Repeated ENTER key could be used to “re-use” settings
Error messages in the form: MALFUNCTION N.
Press “P” to proceed after faults
Therac – 25 : Failures
Several sites (Marietta, Georgia; Hamilton, Ontario; Yakima, Washington; Tyler, Texas) have abnormal events
Patients complain of pain during treatment
Six patients died AECL initially unable to reproduce faults
Therac – 25: What went wrong?
Software problem: Well trained operators could make changes to settings faster than machine could react
System design problem: No safety interlocks on turntable.
Management problem: Software not considered during hazard analysis
DC – 10 : Early history
Long range airliner entered service 1967 Bottom cargo bay opened outwards:
better than competing designs Control system ran through floor
DC-10 : Cargo doors
Outward opening doors are pressurized Solenoid (electrically driven) valves
power latches to close doors Problem: solenoids cannot “self-check”
DC – 10: Cargo doors (cont.)
“Solution”:
Install a “window” near latch Ground crew should visually inspect that
latch is closed Labels to that effect placed on aircraft
DC-10 : First incident
American Airlines Flt 96 (Detroit-Buffalo) June 12, 1972
Latch fails Fuselage crumples, losing almost all
control Pilots manage to land aircraft No loss of life
DC-10 : Second incident
Turkish Airlines Flt 981 (Paris-London) March 3, 1974 Window labelled in English, Turkish Baggage handler not trained for the
aircraft; reads French, Arabic
DC-10 : Second incident (cont.)
Latch fails All control lines severed when fuselage
crumples Plane lost with no survivors
DC-10 : Lessons learned
Importance of redundancy and self-checking
Mandatory recall should have occurred after first incident
Design flaw?
Evolution of household wiring
Knob and tube (pre 1930s construction) Single conductors Ceramic “knobs”
and “tubes” insulate wire
No ground
Still found in older homes.
Aluminum wiring Used in 1970s when aluminum was
cheaper than copper Aluminum is a slightly worse conductor
than copper, has different thermal expansion rates
Different expansion rates lead to loose (high impedance) connections
Has caused fires, but safe when properly installed
Ground fault interruption
What happens when you touch the hot wire
L
oa
d
Hot
Neutral
120 V, 60 Hz
Ground atpanel
Electrocution
Ground fault interruption
GFCI can detect the current imbalanceCurrents of 100mA can be fatalGFCI will trip at 5mA
L
oa
d
Hot
Neutral
120 V, 60 Hz
Ground atpanel
Electrocution
I
I I
1
2 3
I 2
GFCI
I 1 = I 2 + I 3
Safety codes
Developed over time to respond to problems
CSA in Canada is an engineering body dedicated to developing codes to prevent household and industrial accidents
Household code prevents fires, electrocutions by specifying wire gauge, loading rules, GFCIs, grounding, etc.
Industrial safety
Safety PLC Computer system that can be used in
safety critical applications Includes multiple redundancy and
constant self-checking
Industrial safety (cont.)
Light curtain Uses infrared beams to detect human presence and
stop dangerous machines Includes multiple redundancy and self-checking