

## Fault analysis

Single point failures for the 3-transistor current limiter

15-Oct-09

John Oliver

The faults considered in this document should really be considered "solder faults" of the sort expected during the assembly process of the Power Distribution Boards. The two categories of faults considered are

- a) Open circuit in any solder pad in any device.
- b) Short circuit between adjacent pads in the design. It is assumed that pc layout will be conservative and that "adjacent pads" will only exist within a single component.

All such fabrication faults are expected to exist at some probability and will be found in a rigorous QA/QC program for the boards. Seventeen fault conditions were analyzed and shown in the table below. Note that the analysis was done assuming the high voltage source to be current limited at 10 ma. Thus, we assume that if the circuit fault is such as to draw currents larger than this, the current will be limited to this value by the supply itself. Note also that the nominal limiting current has been set by resistor values to 300 uA.

| Case | Device | Condition        | Current in load | Breakdown      |
|------|--------|------------------|-----------------|----------------|
| 1    |        | Normal operation | 299 uA          |                |
| 2    | Q3     | Open base        | 10 mA           |                |
| 3    | Q2     | Open base        | 80 uA           | Q3 Vce         |
| 4    | Q1     | Open base        | 160 uA          | Q1 Vce         |
| 5a   | Q2     | Open collector   | 166 uA          | Q1 Vce         |
| 5b   | Q1     | Open emitter     | "               | "              |
| 6    | Q1     | Open collector   | 230 uA          | Q2 Vbe reverse |
| 7    | R2     | Open             | 7 nA            | Q1 Vce         |
| 8    | R3     | Open             | 6 nA            | Q2 Vce         |
| 9    | R5     | Open             | 170 uA          |                |
| 10   | R2     | Short            | 473 uA          | Q2 Vce         |
| 11   | R3     | Short            | 375 uA          | Q1 Vce         |
| 12   | R5     | Short            | 10 ma           |                |
| 13   | Q1     | CB short         | 473 uA          | Q2 Vce         |
| 14   | Q1     | BE short         | 230 uA          |                |
| 15   | Q2     | CB short         | 10 ma           |                |
| 16   | Q2     | BE short         | 165 uA          |                |
| 17   | Q3     | BE short         | 10 ma           |                |

All of the fault conditions above result in an improper operation of the circuit in some way. Four of these conditions result in complete non-operation of the circuit and will deliver the full 10ma to a small load, taken in this analysis as a 100 Ohms to ground short. Ten of the faults will result in circuit voltages which exceed the transistor rating and can potentially destroy these devices. The result of damage to these devices was not analyzed further, so at this point it is not known what the final outcome in current delivered to the load will be in those cases. Finally, three of the fault cases resulted in a valid current limit at the load. In these cases, of course, normal circuit operation will be impaired, but the current will be limited and the components will all survive.

This analysis points to the need to be very careful about how the circuits are to be initially powered up for QA/QC. The tests must be done starting at values of HV low enough so that the fault can be identified while not damaging remaining components. The tests should then be performed at increasing voltage levels up to the maximum (or beyond) insuring a fully operational device.

## Conclusions

The fault analysis describes mostly solder faults occurring during fabrication but could equally apply to faults in the generally non-prescreened components themselves. These faults are all discoverable during careful QA/QC procedures and are all repairable by re-soldering or component replacement.

## **Opinions**

The analysis indicated that many of the initial fault conditions can damage remaining components. In many of these cases, those components may be protected by adding protective devices (diodes, extra transistors, etc). This however increases the complexity of the design. It is likely that the addition of just a few components can eliminate the possibility of a single point failure causing excess current in the load. It is not likely that we can prevent that situation with anything short of a complete duplication of the limiter. If complete elimination of this possibility is mandatory, then it seems the only solution is to use two such limiters in series.

In my opinion, this should not be a requirement for the following reasons.

- a) The NOvA Experiment is not open to the public. Only trained technical staff will be allowed enter the area. All personnel should go through safety training before being allowed onto the detector.
- b) The Power Distribution Boxes should be clearly labeled as a potential high voltage hazard.
- c) The limiters as currently designed should be 100% screened during careful QA/QC procedure.
- d) A burn in procedure which applies a short circuit condition to the limiters for extended time periods can be considered.
- e) Once the devices are released for use in NOvA, the screening procedures will have reduced future failure probabilities by many orders of magnitude. This, along with a) above, guarantees a safe situation on the detector.
- f) Replacement of components in the design with higher voltage rated parts does in itself reduce the probability of single point failures during manufacturing. It does reduce the probability of damage occurring to those devices during a fault condition, but this does not seem to warrant the large cost and real estate increase these parts would require. In any case, a fault condition discovered on-detector will result in replacing the entire card. The faulty card will then be repaired and at that time all damaged parts replaced.
- g) Whatever circuit is chosen should undergo *torture testing* by means of a pulsed high voltage relay to create shorts at the load. Several copies of the circuit should be so tested prior to incorporation into the PDBs.
- h) Transient simulations were performed assuming a rapid (1 us turn on time) short to ground on the output. In this situation, transistor Q2 will see a transient Vce difference of the full 500V swing for several us. The Vce breakdown rating is, however, a dc rating only, as it corresponds to thermal damage of the collector. Transients of only a few us duration would not result in such

- breakdown. This claim can be verified by torture testing as described in g) above. Furthermore, the "Human Body Model" is nothing like a short circuit and will not result in such rapid transients. In short, transients do not represent a fault mode of the circuit.
- i) Use of one limiter per hv spigot would seem to be the best configuration from the safety point of view as a human body short would result in the lowest level of delivered current.

## **Appendix**

Detailed results of each of the fault conditions are shown in the following pages.



Case 1: Normal operation

Note: Current source, transistor Q4, and battery are not real components. They are there to simulation a 10ma current limited voltage source

Note 2 -

Note 3:



Case 2: Q3 open base

Note: Current source, transistor Q4, and battery are not real components. They are there to simulation a 10ma current limited voltage source

Note 2 - Voltage at HV input drops to 270V because HV supply cannot supply more than  $10\ \mathrm{ma}$ .

Note 3: 10 ma is delivered to load





























