ES050 – Introductory Engineering Design and Innovation Studio

Prof. Ken McIsaac

One last word…

Application of accelerometers

This is the BrainPort ™ Also used for helping visually impaired people to

see, and overcoming other sensory problems

ES050 – Introductory Engineering Design and Innovation Studio

Prof. Ken McIsaac

Design Failures in EE, CE and SE

Outline for today

Therac-25 Radiation Machine DC-10 airframe Household wiring Safety codes Discussion

Therac - 25

Therac – 25 was a medical device, intended to provide therapeutic radiation

Developed by AECL (Atomic Energy of Canada, Ltd.)

Therac – 25 Operation

Two modes of operation: X-ray mode and Electron Beam mode

Electron beam controlled by magnets X-ray mode generated by high energy (25

MeV electron beam) through “flattener”

Therac-25 Operation (cont.)

Picture from “Medical Devices: Therac 25” by Nancy Leveson, U. of Washington

Therac – 25 Fault assessment

Programming errors have been reduced by extensive testing

Software quality does not degrade over time

Minute (10-9) probabilities of random computer events

Conclusion: Software is safe

Therac – 25 User Interface

Operators entered information at a keyboard

Repeated ENTER key could be used to “re-use” settings

Error messages in the form: MALFUNCTION N.

Press “P” to proceed after faults

Therac – 25 : Failures

Several sites (Marietta, Georgia; Hamilton, Ontario; Yakima, Washington; Tyler, Texas) have abnormal events

Patients complain of pain during treatment

Six patients died AECL initially unable to reproduce faults

Therac – 25: What went wrong?

Software problem: Well trained operators could make changes to settings faster than machine could react

System design problem: No safety interlocks on turntable.

Management problem: Software not considered during hazard analysis

DC – 10 : Early history

Long range airliner entered service 1967 Bottom cargo bay opened outwards:

better than competing designs Control system ran through floor

DC-10 : Cargo doors

Outward opening doors are pressurized Solenoid (electrically driven) valves

power latches to close doors Problem: solenoids cannot “self-check”

DC – 10: Cargo doors (cont.)

“Solution”:

Install a “window” near latch Ground crew should visually inspect that

latch is closed Labels to that effect placed on aircraft

DC-10 : First incident

American Airlines Flt 96 (Detroit-Buffalo) June 12, 1972

Latch fails Fuselage crumples, losing almost all

control Pilots manage to land aircraft No loss of life

DC-10 : Second incident

Turkish Airlines Flt 981 (Paris-London) March 3, 1974 Window labelled in English, Turkish Baggage handler not trained for the

aircraft; reads French, Arabic

DC-10 : Second incident (cont.)

Latch fails All control lines severed when fuselage

crumples Plane lost with no survivors

DC-10 : Lessons learned

Importance of redundancy and self-checking

Mandatory recall should have occurred after first incident

Design flaw?

Evolution of household wiring

Knob and tube (pre 1930s construction) Single conductors Ceramic “knobs”

and “tubes” insulate wire

No ground

Still found in older homes.

Aluminum wiring Used in 1970s when aluminum was

cheaper than copper Aluminum is a slightly worse conductor

than copper, has different thermal expansion rates

Different expansion rates lead to loose (high impedance) connections

Has caused fires, but safe when properly installed

Ground fault interruption

L

oa

d

Hot

Neutral

120 V, 60 Hz

Ground atpanel

A proper household circuit

Ground fault interruption

What happens when you touch the hot wire

L

oa

d

Hot

Neutral

120 V, 60 Hz

Ground atpanel

Electrocution

Ground fault interruption

GFCI can detect the current imbalanceCurrents of 100mA can be fatalGFCI will trip at 5mA

L

oa

d

Hot

Neutral

120 V, 60 Hz

Ground atpanel

Electrocution

I

I I

1

2 3

I 2

GFCI

I 1 = I 2 + I 3

Safety codes

Developed over time to respond to problems

CSA in Canada is an engineering body dedicated to developing codes to prevent household and industrial accidents

Household code prevents fires, electrocutions by specifying wire gauge, loading rules, GFCIs, grounding, etc.

Industrial safety

Safety PLC Computer system that can be used in

safety critical applications Includes multiple redundancy and

constant self-checking

Industrial safety (cont.)

Light curtain Uses infrared beams to detect human presence and

stop dangerous machines Includes multiple redundancy and self-checking

Industrial safety (cont.)

“Saw Stop” blade stops when it encounters flesh This feature is not yet required by law or safety

codes