Beam Loss Monitors at LHC

One of the main functions of the LHC beam loss measurement system is the protection of equipment against damage caused by impacting particles creating secondary showers and their energy dissipation in the matter. Reliability requirements are scaled according to the acceptable consequences and the frequency of particle impact events on equipment. Increasing reliability often leads to more complex systems. The downside of complexity is a reduction of availability; therefore, an optimum has to be found for these conflicting requirements. A detailed review of selected concepts and solutions for the LHC system will be given to show approaches used in various parts of the system from the sensors, signal processing, and software implementations to the requirements for operation and documentation.Comment: 16 pages, contribution to the 2014 Joint International Accelerator School: Beam Loss and Accelerator Protection, Newport Beach, CA, USA , 5-14 Nov 201

Fault tolerant electromechanical actuators for aircraft

This thesis reviews the developments in commercial aviation resulting from More Electric Aircraft initiatives. The present level of electromechanical actuation is considered with discussion of the factors affecting more widespread use. Two rather different electromechanical actuators are presented for commercial aircraft; DEAWS electrical flap actuation and ELGEAR nose wheel steering. Both projects are industrially driven with specifications based on existing medium-sized commercial aircraft. Methods comparing fault tolerant electric drive topologies for electrical actuators are presented, showing two different categories of electric drive and comparing each category in a variety of operating conditions to assess size and component count. The safety-driven design process for electromechanical actuators is discussed with reliability calculations presented for both proposed actuators, showing where fault tolerant design is required to meet safety requirements. The selection of an optimum fault tolerant electric drive for each actuator is discussed and fault tolerant control schemes are presented. The development of the electric flap and nose wheel steering systems is described, with the focus on the work performed by the author, primarily on the power electronic converters and control software. A comprehensive range of laboratory and industrial results are given for both actuators, showing demonstrations of fault tolerance at power converter and actuator levels. Following testing, further analysis is given on various issues arising prior and during testing of both converters, with design considerations for future electromechanical actuators. From design testing and analysis, the two projects can be compared to attempt to determine the optimal electromechanical actuator topology and to consider the challenges in evolving the two actuators to aerospace products.EThOS - Electronic Theses Online ServiceEPSRC : DTIGBUnited Kingdo

Self-healing concepts involving fine-grained redundancy for electronic systems

The start of the digital revolution came through the metal-oxide-semiconductor field-effect transistor (MOSFET) in 1959 followed by massive integration onto a silicon die by means of constant down scaling of individual components. Digital systems for certain applications require fault-tolerance against faults caused by temporary or permanent influence. The most widely used technique is triple module redundancy (TMR) in conjunction with a majority voter, which is regarded as a passive fault mitigation strategy. Design by functional resilience has been applied to circuit structures for increased fault-tolerance and towards self-diagnostic triggered self-healing. The focus of this thesis is therefore to develop new design strategies for fault detection and mitigation within transistor, gate and cell design levels. The research described in this thesis makes three contributions. The first contribution is based on adding fine-grained transistor level redundancy to logic gates in order to accomplish stuck-at fault-tolerance. The objective is to realise maximum fault-masking for a logic gate with minimal added redundant transistors. In the case of non-maskable stuck-at faults, the gate structure generates an intrinsic indication signal that is suitable for autonomous self-healing functions. As a result, logic circuitry utilising this design is now able to differentiate between gate faults and faults occurring in inter-gate connections. This distinction between fault-types can then be used for triggering selective self-healing responses. The second contribution is a logic matrix element which applies the three core redundancy concepts of spatial- temporal- and data-redundancy. This logic structure is composed of quad-modular redundant structures and is capable of selective fault-masking and localisation depending of fault-type at the cell level, which is referred to as a spatiotemporal quadded logic cell (QLC) structure. This QLC structure has the capability of cellular self-healing. Through the combination of fault-tolerant and masking logic features the QLC is designed with a fault-behaviour that is equal to existing quadded logic designs using only 33.3% of the equivalent transistor resources. The inherent self-diagnosing feature of QLC is capable of identifying individual faulty cells and can trigger self-healing features. The final contribution is focused on the conversion of finite state machines (FSM) into memory to achieve better state transition timing, minimal memory utilisation and fault protection compared to common FSM designs. A novel implementation based on content-addressable type memory (CAM) is used to achieve this. The FSM is further enhanced by creating the design out of logic gates of the first contribution by achieving stuck-at fault resilience. Applying cross-data parity checking, the FSM becomes equipped with single bit fault detection and correction

Fault tolerant drives for safety critical applications

PhD ThesisThe correct operation of adjustable speed drives, which form part of a larger system, is often essential to the operation of the system as a whole. In certain applications the failure of such a drive could result in a threat to human safety and these applications are termed 'safety critical'. The chance of a component failure resulting in non-operation of the drive can be dramatically reduced by adopting a fault tolerant design. A fault tolerant drive must continue to operate throughout the occurrence of any single point failure without undue disturbance to the power output. Thereafter the drive must be capable of producing rated output indefinitely in the presence of the fault. The work presented in this thesis shows that fault tolerance can be achieved without severe penalties in terms of cost or power to mass ratio. The design of a novel permanent magnet drive is presented and a 'proof of concept' demonstrator has been built, based on a 20 kW, 13000 RPM aircraft fuel pump specffication. A novel current controller with near optimal transient performance is developed to enable precise shaping of the phase currents at high shaft speeds. The best operating regime for the machine is investigated to optimise the power to mass ratio of the drive. A list of the most likely electrical faults is considered. Some faults result in large fault currents and require rapid detection to prevent fault propagation. Several novel fault sensors are discussed. Fault detection and identification schemes are developed, including new schemes for rapid detection of turn to turn faults and power device short circuit faults. Post fault control schemes are described which enable the drive to continue to operate indefinitely in the presence of each fault. Finally, results show the initially healthy drive operating up to, through and beyond the introduction of each of the most serious faults.EPSR

Copilot: Monitoring Embedded Systems

Runtime verification (RV) is a natural fit for ultra-critical systems, where correctness is imperative. In ultra-critical systems, even if the software is fault-free, because of the inherent unreliability of commodity hardware and the adversity of operational environments, processing units (and their hosted software) are replicated, and fault-tolerant algorithms are used to compare the outputs. We investigate both software monitoring in distributed fault-tolerant systems, as well as implementing fault-tolerance mechanisms using RV techniques. We describe the Copilot language and compiler, specifically designed for generating monitors for distributed, hard real-time systems. We also describe two case-studies in which we generated Copilot monitors in avionics systems

Development and analysis of the Software Implemented Fault-Tolerance (SIFT) computer

SIFT (Software Implemented Fault Tolerance) is an experimental, fault-tolerant computer system designed to meet the extreme reliability requirements for safety-critical functions in advanced aircraft. Errors are masked by performing a majority voting operation over the results of identical computations, and faulty processors are removed from service by reassigning computations to the nonfaulty processors. This scheme has been implemented in a special architecture using a set of standard Bendix BDX930 processors, augmented by a special asynchronous-broadcast communication interface that provides direct, processor to processor communication among all processors. Fault isolation is accomplished in hardware; all other fault-tolerance functions, together with scheduling and synchronization are implemented exclusively by executive system software. The system reliability is predicted by a Markov model. Mathematical consistency of the system software with respect to the reliability model has been partially verified, using recently developed tools for machine-aided proof of program correctness

Improving fault tolerant drives for aerospace applications

D EngThe aerospace industry is moving towards the more electric aeroplane where traditional hydraulic systems are being replaced with electrical systems. Electrical technology offers some strong advantages compared to hydraulic technology including; cost, efficiency, power on demand and relative ease of maintenance. As with most new technologies, a major disadvantage is its limited reliability history. A lot of research in the aerospace field therefore focuses on improving fault tolerant electrical systems. Work done in this thesis builds on an existing fault tolerant drive, developed by Newcastle University and Goodrich Actuation Systems as part of the ELGEAR (Electrical Landing Gear) project. The purpose of this work is to continue improving the drive’s fault tolerant features; especially in areas where the drive is most vulnerable. The first part of this thesis focuses on improving the overall system reliability by monitoring the health of the dc-link capacitors in the fault tolerant drive. The implemented estimation technique makes use of voltage and current sensors which are already in place for protection and control purposes. The novel aspect of the proposed technique relates to monitoring capacitors in real time whilst the motor is operational. No external interferences, such as injected signals or special operation of the drive, are required. The condition monitoring system is independent of torque and speed, and hence independent of a variation in load. The work was validated using analytical methods, simulation, low voltage experimentation and high voltage implementation on the ELGEAR drive. The second part of this thesis focuses on single shorted turn faults, in fault tolerant permanent magnet (PM) motors. Despite the motor being able to withstand a wide range of faults, the single shorted turn fault remains a difficult fault to detect and handle. The problem arises from the magnets on the spinning rotor that cannot be ‘turned off’ at will. This thesis investigates the severity of the faulted current in a shorted turn and how it varies depending on the turn’s location in the stator slot. The severity of the fault is studied using 2D finite element analysis and practical implementation on the ELGEAR rig. Finally, recommendations are proposed for improving the ELGEAR motor for future fault tolerant designs.EPRSC and Goodrich Aerospace (now United Technologies

Käyttövarmuus liikkuvassa elektroniikassa

Requirement for highly dependable machinery control system is growing from increased complexity of control systems and their ability to control critical machinery functions. This has been noticed by legal authorities and governing legislation is becoming effective. Legal requirements can be met by using methodology based on adequate functional safety standards. Standards require certain tools and methods for product life cycle planning and implementation. Development and operational work flow shall be adapted to fulfill those requirements. Main focus in the study is to interpret standard requirements to process changes and to understand basic philosophy for reliable programmable system hardware. Standards IEC 61508 and ISO 25119 are referenced as main source for requirements. Dependability is based on failure avoidance and control. Study introduces several failure avoidance tools and methods. V-model based work flow is adapted to industry specific requirements. Model includes life cycle approach, deliverable list and assessment checklist for safety related project flow. Documentation structure for good traceability is introduced for unit specification. System level analysis is based on failure mode and effect studies and usage of fault tree modeling helps to understand links between events. Safety level targeting model based on risk graph is introduced for usage in machinery-control-systems. Usage of tools and methods was tested in machinerycontrol-system concept development. Developed concept is intended for operator interface and control tasks. Tools proved to be usable for engineering project and fully implemented documentation model shall fulfill basic assessment requirements. Developed concept itself is usable in critical control systems, but some fine tuning is needed. /Kir11Vaatimukset elektroniikan käyttövarmuudelle ovat kasvaneet viimeksi kuluneiden kymmenen vuoden aikana voimakkaasti, koska ohjausjärjestelmistä on tullut monimutkaisia ja ne ovat korvanneet mekaanisia turvalaitteita. Erityisesti turvallisuuskriittisten toimintojen ohjaaminen on yleistynyt. Muutos on huomattu myös tuoteturvallisuutta valvovien viranomaisten toimesta ja ohjausjärjestelmien toimintaa ja suunnittelua koskevia vaatimuksia on kehitetty. Lainsäädännölliset vaatimukset ovat tulossa voimaan lähiaikoina eri laiteympäristöille ja ne perustuvat olemassa oleviin toiminnallista turvallisuutta koskeviin standardeihin. Standardien mukaisuus savutetaan käyttämällä niissä kuvattuja toimintatapoja ja työkaluja koko tuotteen elinkaaren aikana aina esisuunnittelusta käytöstäpoistoon asti. Suunnittelu, kokoonpano ja asennustyön kulku tulee sovittaa täyttämään nuo vaatimukset. Työn tarkoituksena on selvittää keskeiset toimintatavat ja työkalut liittyen standardeihin ja käyttövarman elektroniikan toimintoihin. Toimintatapoja, työkaluja ja teknisiäratkaisuja arvioidaan myös työn aikana suunnitellun koneenohjauskonseptin kautta. Käyttövarma koneenohajausjärjestelmä mahdollistaa laitteen luotettavan käytön vaarantamatta ihmisiä tai ympäristöä. Tärkeä osa käyttövarmuutta on myös käytön jatkuvuus ja huollettavuus suunnitellusti. Käyttövarmuus tuleekin nähdä tuotteeseen sisäänrakennettuna ominaisuutena suunnittelun, valmistuksen ja käytön aikana. Käyttövarmuus perustuu virhetilanteiden välttämiseen ja niiden vaikutusten kontrollointiin. Virheet voidaan jakaa kahteen päälohkoon. Satunnaisia virheitä esiintyy laitteen eliniän aikana, mutta niiden aiheuttamia vaikutuksia tulee kontrolloida ja pienentää suunnitellusti. Systemaattisia virheitä esiintyy järjestelmässä moninaisista syistä johtuen. Vaarallista vikaantumista voidaan välttää neljällä perustavalla. Laitteiston tulee vikaantua ennustettavalla tavalla. Laitteisto arkkitehtuurin valinnalla voidaan välttää turvallisuuden kannalta kriittisten pullonkaulojen muodostumista. Oikeita toimintapoja nuodattamalla voidaan vähentää systemaattisia virheitä laitteiston toteutuksessa. Standardit edellyttävät V-mallin mukaista toimintamallia tuotteen vaatimustenmukaisuuden varmistamiseksi. V-mallin rakenteen mukainen dokumentaatio tarjoaa jäljitettävyyden vaatimusten ja testauksen varmentamiseen. Koneenohjauksessa tyypillinen konsepti on hajautettu järjestelmä, jossa usein käyttöliittymä ja varsinainen ohjaus on jaettu eri yksiköihin. Käyttöliittymäyksikkö on sijoitettu lähelle käyttäjää ja varsinainen ohjausyksikkö on kytketty käyttöliittymälaitteeseen sarjaliikenneliitynnällä. Turvallisuuden varmistamiseksi kommunikaatio on kahdennettu ja käytetty sarjaliikenneprotokolla noudattaa CAN standardia. CAN standardi tarjoaa itsessään hyvin virheensietokykyisen kommunikaation ja kahdennus varmistaa toiminnan fyysisten virheiden varalle. Käyttöliittymän tehtävänä on varmistaa oikeiden käskyjen välittäminen oikea-aikaisesti muulle ohjausjärjestelmälle käyttäjän niin halutessa. Ohjausyksiköt valvovat järjestelmän tilaa ja toimintaympäristöä ja tekevät päätöksen komennon toteuttamisesta turvallisuuden sallimissa rajoissa. Järjestelmää analysoitiin ja määriteltiin turvallisuuden vaatimat eheystasot laitteiston toteutukselle. Tyypillisessä koneenohjausjärjestelmässä riskit liittyvät usein käyttäjän vaarantumiseen. Käyttäjää ja yksittäisiä sivullisia vaarantavan vikaantumiset vaativat jonkin verran keskimääräistä tasoa korkeampia turvallisuus eheystasoja. Tyypillisesti vaatimus on eheystaso kaksi. Konseptin vaatimustenmukaisuuden suunnitteluun ja varmistamiseen käytettiin lohkokaaviotasolla vikapuu-, vikamuoto- ja vaikutusanalyysejä. Komponenttitason vikamuoto-, vaikutus- ja kriittisyysanalyysillä (FMEDA) varmistettiin suunnitellun toteutuksen vaatimusten täyttymistä. Konseptin sinänsä havaittiin täyttävän perusvaatimukset hyvin, mutta tiettyjä yksityiskohtia erityisesti yksiköiden yhteisissä osissa tulee parantaa. Järjestelmäsuunnitteluvaiheessa tulee käyttövarmuus asioita miettiä kokonaisuutena. Eri käyttövarmuus näkökohtien välillä syntyy ristiriitaisuuksia ja sovelluksen kannalta oikea katsantokanta kannattaa valita. Usein lainmukaisuus tulee varmistaa ja sen jälkeen kohdistaa suuntaus asiakasvaatimusten mukaan. Siirtyminen hallittuun turvakriittiseen järjestelmäsuunnitteluun on usein asennekysymys organisaatiotasolla ja teknisesti ottaen ratkaisut kannattaa pitää mahdollisimman yksinkertaisina

The reliability of small digital controllers

Increasing use is being made of small digital controllers in Industry and Commerce. The failure of such controllers is important since it may cause either plant to become unsafe or the interruption of production. Fault tolerant techniques are discussed for improving the reliability of digital controllers with special reference to the development of a hybrid electromechanical gas governor, whose electronic controller is an example of a small digital controller. Three microprocessors are used in a two out of three majority voting configuration and the memory is Hamming code protected. Redundancy techniques are used to protect against faults in other parts of the controller and it will tolerate most classes of transient fault. When comparing designs or attempting to meet reliability criteria, it is necessary to predict the reliability of a system and its individual components. Several sources of failure rate prediction are compared and the wide variation in the failure rates of integrated circuits is highlighted. The comparison concludes by recommending which reliability data source is likely to be most accurate for each type of component. The gas governor is an example of a repairable system and analysis is developed for predicting the improvement in reliability for repairable redundant systems and for determining the optimum maintenance and repair times for equipment. The testing of redundant systems is difficult because of their complexity, and under certain circumstances the redundancy can mask design faults. Testing methods using complex test equipment are described, as well as the testing of the experimental controller. A review is included of other fault-tolerant systems. Although the work on large computers is not directly applicable to small controllers, many of the techniques can be used