Sender: <marv@lancaironline.net>
To:  lml@lancaironline.net
Date: Mon, 08 Aug 2011 21:40:32 -0400
Message-ID: <redirect-5086125@logan.com>
Received-SPF: none
 receiver=logan.com; client-ip=206.130.116.53; envelope-from=hwasti@lm50.com
From: Hamid Wasti <hwasti@lm50.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
Subject: Re: [LML] Re: Fw: Re: Re-doing my panel - carefully thinking through
 failures
References: <list-5083476@logan.com>
In-Reply-To: <list-5083476@logan.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Colyn Case wrote:
> At the risk of topic drift.....I put in those big fat diodes to my 
> essential bus also.
> Since them I'm wondering if there's a failure mode on one bus that 
> crosses the diodes and takes out the other bus.
A diode can fail open, shorted or "out of spec" meaning that one or more 
parameters (voltage drop, reverse current, series resistance etc) is 
very high.  According to various documents on Failure Mode Distribution, 
about 50% of the failure modes in power diodes result in a shorted 
diode, about 30% in open diode and about 20% in out of spec failure. 
Different sources use different numbers and they vary for different 
components, but that is a ball park to get a sense of things.

A shorted diode is basically a direct connection, tying the two busses 
together and essentially making them one. An open diode prevents power 
from going through the diode to the destination buss, leaving it 
permanently isolated from one of its sources. Parameter change is an 
unsustainable state. It may allow the diode to function briefly, but 
with use under load, it will invariably fail either open or shorted.

Diodes can fail for many reasons, among them: Over-heating, 
Over-voltage, Over-current. If you have under-sized the diode or not 
properly heat sunk it, it will die after some time in "normal" use.

Heat is generated in a diode's die and is a function of the current and 
the diode's voltage drop (voltage in volts multiplied by current in amps 
= power in watts). That heat needs to be conducted to the outside of the 
case, then through some mechanical interface to the heat sink and then 
to the ambient air. If the case to heat sink interface is not properly 
designed and properly implemented, the die can be considerably hotter 
than the heat sink. If the heat sink is not receiving cooling air, it 
can be considerably hotter than the ambient air around it. If the air is 
circulating in a closed environment it may be a lot warmer than the 
outside. If the air happens to be low on air molecules (flying at FL280) 
it may not be taking away as much heat as you had tested at sea level. 
All of this can conspire to over-heat the die and lead to failure.

Surely the easiest thing in the world is to make sure that you use a 
diode with a higher current rating than the highest possible current in 
your system. Right? Actually, no!  The important part is to use the 
correct current rating, which is not always obvious. The headline 
current rating is valid at a certain temperature, which is often (but 
not always) 25C die temperature. In real life, the die is going to be a 
lot warmer than that, maybe as much as 100C warmer. Buried in the 
datasheet is a graph indicating the maximum current at higher 
temperatures, or a footnote along the lines of "Maximum current 
decreases by  .....A per degree C for higher temperatures"  To know if 
the diode is going to work for you, you need to figure out the maximum 
power dissipation, figure out the temperature increase due to that much 
power, add that to the maximum heat sink temperature and then make sure 
that it can handle the current at that die temperature. The resulting 
current limit is invariably going to be a lot lower than the headline 
number and if you are exceeding that, your diode is under-sized.

If you have battery disconnection on one buss, the alternator can 
generate a voltage spike of several 10's of volts. DO-160 calls for 28V 
certified systems to be able to survive up to a 100mS wide 80V spike, 
followed by 48V for 1 second. If there is an 80V spike on the A Buss, 
while the B Buss stays at 28V, the diode between the essential buss and 
the B Buss will see a voltage of close to 50V. Is it rated for that? If 
you B Buss happens to be off due to a failure, the diode is going to see 
almost the full 80V. Will it survive that? If it fails shorted, you just 
lost your essential buss. Unlike over-current, there is no transient 
specification for over-voltage. Even a momentary over-voltage can damage 
a diode.

Turning off switches and hot-unplugging a high current load can cause a 
flyback voltage due to the inductance of the power wire. Unless this is 
anticipated and protected against, it can kill an isolation diode. An 
intermittent power connection in a tray is the same as repeatedly 
hot-plugging/hot-unplugging.

Finally, a word about the worst kind of failure: The out-of-spec 
failure. Lets say due to one of the aforementioned events, you have an 
out-of-spec failure where the diode's internal resistance increases an 
order of magnitude or more from the original value of a few mili-ohms. 
Lets say you have a system where the "A Buss" and "B Buss" feed an 
essential buss and the diode on the A Buss side has failed with high 
resistance. If you do a system check at every startup where you 
sequentially shut down both busses and make sure that the essential buss 
can run from the remaining one, you are likely to find that the 
essential buss works. The failed diode will be able to operate the load 
for a little bit while it over-heats. During normal operation, the diode 
on the A Buss will take all the load. But if you have a failure of the A 
Buss and all the current starts going through this high resistance 
diode, it is quickly going to fail and as Murphy's Law states, there is 
100% likelihood that this will be one of the 30% of times where it fails 
open.

I am sure I can think of a few more scenarios where a failure can go 
undetected by typical checks. The bottom line is that unless you are 
willing and able to get into it a lot deeper, a "simple and reliable" 
system may only be half so.

Regards,

Hamid