A System Engineering Approach Using FMEA and Bayesian Network for Risk Analysis—A Case Study

This paper uses a system engineering approach based on the Failure Mode and Effect Analysis (FMEA) methodology to do risk analysis of the power conditioner of a Proton Exchange Membrane Fuel Cell (PEMFC). Critical components with high risk, common cause failures and effects are identified for the power conditioner system as one of the crucial parts of the PEMFCs used for backup power applications in the telecommunication industry. The results of this paper indicate that the highest risk corresponds to three failure modes including high leakage current due to the substrate interface of the metal oxide semiconductor field effect transistor (MOSFET), current and electrolytic evaporation of capacitor, and thereby short circuit, loss of gate control, and increased leakage current due to gate oxide of the MOSFET. The MOSFETs, capacitors, chokes, and transformers are critical components of the power stage, which should be carefully considered in the development of the design production and implementation stage. Finally, Bayesian networks (BNs) are used to identify the most critical failure causes in the MOSFET and capacitor as they are classified from the FMEA as key items based on their Risk Priority Numbers (RPNs). As a result of BNs analyses, high temperature and overvoltage are distinguished as the most crucial failure causes. Consequently, it is recommended for designers to pay more attention to the design of MOSFETs’ failure due to high leakage current owing to substrate interface, which is caused by high temperature. The results are emphasizing design improvement in the material in order to be more resistant from high temperature.


Introduction
Global climate changes caused by conventional energy resources such as fossil fuels are one of the dominant motivations that engineers are trying to employ renewable energies. Also, fossil fuel resources are limited, and they will eventually be depleted with the rapid growth of energy consumption. The environmental damages in the world caused by non-renewable energies ends up to be approximately five trillion dollars per year [1]. Renewable energies, such as wind turbines, solar cells and fuel cell systems are proposed as solutions to solve these global problems. A fuel cell works as a source generating energy along with unique properties, which are being developed rapidly. In the global sustainable development perspective, fuel cells are suitable as they provide high energy conversion efficiency, various usages being a compact and environmental friendliness system. These are the foremost reason that fuel cell systems are used in energy systems; that is why they are approach. In this paper, two aspects are combined to fulfill the gap in the existing literature. First, instead of focusing on the fuel cell stack, the power conditioner is comprehensively investigated, which are studied in terms of the critical power electronics components. Second, the FMEA is implemented based on system engineering approach having the given detailed implementation procedure.
Furthermore, Bayesian Network (BN) is utilized to analyze the most critical failure causes among more important items identified from FMEA. BN is a graphical model that containing nodes, symbolizing variables, and directed links between them standing for casual relationships. The relationships between variables are as if X causes Y, X is a parent of Y, and Y is a child of X. The probabilities are given as conditional probability distributions for each node, depending on the parents. When evidence is received for a node, the joint distribution can be updated using Bayes rule, and posterior marginal distributions can be found [18]. This will help designers to pay more attention on the development of the design for instance, material properties to avoid failures from obtained results by this method. For example, anion-deficient perovskites, as materials with high ionic conductivity and a wide range of temperature stability, are very suitable for fuel cell membranes [19]. Moreover, magneto dielectrics such as hexaferrites: are the materials that are promising for the production of capacitors, which are very necessary for their stable operation [20]. For the stable and steady operation of modern power plants and uninterruptible power systems, it is necessary to provide for their protection against unwanted external electromagnetic radiation. Such an electromagnetic effect can easily cause the collapse of the entire modern energy system. To prevent this, electromagnetic shields must be used [21,22].
To sum up, by using the FMEA for the PEMFC system, potential failure modes and risk of components are identified, and critical components are also classified. Furthermore, the potential of the risk priority number is assigned to any failure. The FMEA results offer which component is critical to have high RPNs. Moreover, some recommended solutions are suggested to create better conditions to reduce their risk. Therefore, damage to the entire system due to failure modes and causes is decreased. Finally, by implementing BN the impact of each failure cause is studied, to find which failure causes have the most effects among other failure causes in the MOSFET.

PEMFC System
A PEMFC is an electrochemical system, which changes the chemical energy through the reaction of hydrogen and oxygen to electrical power. There are a variety of PEMFC applications such as mobile power generation systems and stations, automotive, aerospace and marine industries [23].
A typical configuration of the PEMFC system is shown in Figure 1, which consists of the Balance of Plant (BoP), the PEMFC stack, and the power conditioner. [7,8]. The BoP is a monitoring system having auxiliary parts, which serve to regulate the supply and balance hydrogen, air, water and thermal condition for the PEMFC stack. The PEMFC stack is an assembly of several single cells (output less than 1 V), bipolar plates, cooling plates, end plates, bolts, and gaskets, which converts the chemical energy into the electricity [23]. A power conditioner is composed of active and passive electrical components, enabling to regulate the fixed output from the PEMFC stack [24].

Power Conditioner Sub-System
This section presents the detailed configuration of the power conditioner sub-system for a PEMFC system in a backup power application. The block diagram of the power conditioner sub-system having 1 kW output power is shown in Figure 2, where five parts, are included which are the power stage, auxiliary power supply, gate driver, controller, and PCB, which can be further sub-divided [25]. The power stage consists of an isolated DC/DC converter. This part contains plenty of components (such as MOSFETs, capacitors, inductors, transformer, and other related components). The input voltage range is 30-65 V, while the output voltage is 48 V. As a result, a power converter that can work both in step-up Sustainability 2020, 12, 77 4 of 18 and step-down modes is preferred. Moreover, the isolation from primary-side and secondary-side is required according to the industry standard. Some of the functions of the subsystems are switching the electrical current at the desired time interval, rectifying current in the desired time interval and control, regulating and rectifying the electrical current and voltage level change.
Sustainability 2020, 12, x FOR PEER REVIEW 4 of 18 Figure 1. Block diagram of a typical PEMFC system used in a backup power application.

Power Conditioner Sub-System
This section presents the detailed configuration of the power conditioner sub-system for a PEMFC system in a backup power application. The block diagram of the power conditioner subsystem having 1 kW output power is shown in Figure 2, where five parts, are included which are the power stage, auxiliary power supply, gate driver, controller, and PCB, which can be further subdivided [25]. The power stage consists of an isolated DC/DC converter. This part contains plenty of components (such as MOSFETs, capacitors, inductors, transformer, and other related components). The input voltage range is 30-65 V, while the output voltage is 48 V. As a result, a power converter that can work both in step-up and step-down modes is preferred. Moreover, the isolation from primary-side and secondary-side is required according to the industry standard. Some of the functions of the subsystems are switching the electrical current at the desired time interval, rectifying current in the desired time interval and control, regulating and rectifying the electrical current and voltage level change.

Power Conditioner Sub-System
This section presents the detailed configuration of the power conditioner sub-system for a PEMFC system in a backup power application. The block diagram of the power conditioner subsystem having 1 kW output power is shown in Figure 2, where five parts, are included which are the power stage, auxiliary power supply, gate driver, controller, and PCB, which can be further subdivided [25]. The power stage consists of an isolated DC/DC converter. This part contains plenty of components (such as MOSFETs, capacitors, inductors, transformer, and other related components). The input voltage range is 30-65 V, while the output voltage is 48 V. As a result, a power converter that can work both in step-up and step-down modes is preferred. Moreover, the isolation from primary-side and secondary-side is required according to the industry standard. Some of the functions of the subsystems are switching the electrical current at the desired time interval, rectifying current in the desired time interval and control, regulating and rectifying the electrical current and voltage level change. In the power stage, eight primary and eight secondary MOSFETs are used as active switches having the function to control the electrical current in the system. Also, eight primaries and eight secondary diodes are applied in the converter. Moreover, two transformers are used to provide isolation between primary and secondary side. Besides, here are eight electrolytic capacitors having a capacity of 680 µF and 63 V in the primary and six electrolytic capacitors having the capacity of 390 µF and 100 V in the secondary side as a storage for the electrical energy and stabilization of the dc voltage. The overall objective of the power conditioner is that in the case of a step-up mode, the primary-side inductor is charged by the activation of all transistors; while it is discharged by the parallel connection of the two transformers. Alternatively, in the case of the step-down mode, the primary-side inductor is charged by the parallel connection of the transformers, while it is discharged by the series connection of the transformers [26]. The structure of the power converter used in this study is presented in Figure 3. Due to the variable output voltage of the fuel cell stack, a dc/dc power converter is required to match the voltage in telecom applications. A topology using galvanic isolation is shown in Figure 3, where the rated power of the converter is 1 kW, and six 1 kW converters are connected in parallel for a 5 kW power stage to obtain the redundancy. Moreover, a synchronous rectification is adopted to achieve low conduction losses in the situation of low-voltage and high-current at the secondary-side of the transformer [26]. All the components in the power conditioner can be categorized of four levels of the PEMFC system as it is demonstrated in Figure 4. a capacity of 680 µF and 63 V in the primary and six electrolytic capacitors having the capacity of 390 µF and 100 V in the secondary side as a storage for the electrical energy and stabilization of the dc voltage. The overall objective of the power conditioner is that in the case of a step-up mode, the primary-side inductor is charged by the activation of all transistors; while it is discharged by the parallel connection of the two transformers. Alternatively, in the case of the step-down mode, the primary-side inductor is charged by the parallel connection of the transformers, while it is discharged by the series connection of the transformers [26]. The structure of the power converter used in this study is presented in Figure 3. Due to the variable output voltage of the fuel cell stack, a dc/dc power converter is required to match the voltage in telecom applications. A topology using galvanic isolation is shown in Figure 3, where the rated power of the converter is 1 kW, and six 1 kW converters are connected in parallel for a 5 kW power stage to obtain the redundancy. Moreover, a synchronous rectification is adopted to achieve low conduction losses in the situation of low-voltage and highcurrent at the secondary-side of the transformer [26]. All the components in the power conditioner can be categorized of four levels of the PEMFC system as it is demonstrated in Figure 4.

Boundary Diagram and FMEA Interface Matrix
In order to make a visible scope of the FMEA analysis, an FMEA block diagram (FMEA boundary diagram) is used to visualize the interfaces between the various sub-systems and

Boundary Diagram and FMEA Interface Matrix
In order to make a visible scope of the FMEA analysis, an FMEA block diagram (FMEA boundary diagram) is used to visualize the interfaces between the various sub-systems and components. The boundary diagram shows the physical and logical relationships among the main sub-systems of the PEMFC system, such as physical connection, material exchange, energy transfer, and data exchange. Besides, their inputs and outputs are also identified [3] (Figures 1 and 2 illustrate an overview of boundary diagram for the PEMFC system and the power conditioner sub-system). Moreover, the FMEA interface matrix is a chart on the vertical and horizontal axes interfaces, which ought to be considered in the examination of this kind of interface. As aforementioned, the physical connection, material exchange, energy transfer, and data exchange are four primary types of interfaces. Up to 50% or more of the total failures are normally seem in the interfaces. As a result, it is important that any FMEA considerately study the interfaces between the sub-systems and components besides their content. On top of the FMEA boundary diagram, as a complementary to it, the FMEA interface matrix is presented. The FMEA interface matrix for the PEMFC system is listed in Table 1 in connection with Figure 1; and the FMEA interface matrix for the power conditioner is listed in Table 2 and is related to Figure 2.

Function Block Diagram and Parameter Diagram
Another visual tool to describe the operation, interrelationships and interdependencies of the system functions is Function Block Diagram (FBD). Moreover, the Parameter diagram (P-diagram) is a functional tool to document input signals, noise factors, control factors, error states, and ideal response. It is more practical once the item under analysis is a complicated system where it is a time-consuming analysis; however, it can provide significant value in comprehending and controlling the system and recognizing the input to the FMEA techniques. Any of these tools are used for better detection of the FMEA of the four levels of classifications of the PEMFC system [27]. FBD of the PEMFC system is shown in Figure 5. Furthermore, the P-Diagram (PD) of the PEMFC is illustrated in Figure 6, which takes the inputs from a system and link those inputs to the desired outputs. In addition, it considers non-controllable influences from outside. As long as a PEMFC stack electricity is generated, all sections carry out their work properly, power conditioner will be able to convert 48 V DC electricity The power stage performs the basic power conversion Necessary energy and instructions of auxiliary power supply and controller from the gate driver to the power stage

Relationship of Functions and Failure Modes
As mentioned before, it is important that a FMEA precisely investigates the connective links among the sub-systems and components as well as their content. As shown in Figure 7, four levels of the PEMFC system are used to describe the power stage, which contains four critical components: MOSFETs, electrolytic capacitors, transformers and inductors (chokes). Generally, any failure mode is a failure cause for the power stage (Level 3). Similarly, failure modes of the power stage (Level 3) are failure causes of the power conditioner (Level 4). Figure 7 demonstrates the hierarchical impact of the failure of the PEMFC and interfaces among system, sub-system, and principal components. Two primary functions (F) and failure modes (FM) of the power conditioner and their relations with three levels are shown in Figures 8 and 9.

Relationship of Functions and Failure Modes
As mentioned before, it is important that a FMEA precisely investigates the connective links among the sub-systems and components as well as their content. As shown in Figure 7, four levels of the PEMFC system are used to describe the power stage, which contains four critical components: MOSFETs, electrolytic capacitors, transformers and inductors (chokes). Generally, any failure mode is a failure cause for the power stage (Level 3). Similarly, failure modes of the power stage (Level 3) are failure causes of the power conditioner (Level 4). Figure 7 demonstrates the hierarchical impact of the failure of the PEMFC and interfaces among system, sub-system, and principal components. Two primary functions (F) and failure modes (FM) of the power conditioner and their relations with three levels are shown in Figures 8 and 9.

FMEA Results
In this paper, a new estimation of the PEMFC system using FMEA is presented by focusing on power electronics components in the power conditioner. The analysis investigates numerous potential failure modes according to the API 580 (American Petroleum Institute), JEDEC (Joint Electron Device Engineering Council), NDI (Non-Destructive Inspection), and normal cause and failure for the industry affections. Specifically, parts of each level may have some failure modes and many failure causes. The failure modes of each level, in fact, are failure causes of the higher level. In the power conditioner, the power stage is identified as the most critical subsystem, and four critical components have the highest risk of failure and damage. Furthermore, the highest RPN is for the MOSFETs and capacitors are respectively having a result of 448, 392 with the failure mode of 'high leakage current due to substrate interface' and 'electrolyte evaporation'. High leakage current failure mode having two main causes, 'high current density' and 'over-voltage' has the highest risk number for the MOSFETs. Moreover, electrolytic evaporation by the deterioration of sealant material leads to insufficient sealing for the capacitors having the highest risk number in passive components. The FMEA of all the components and calculated RPNs for the power stage are illustrated in Table 3.
According to Table 3, the highest RPNs are seen and depicted clearly in Figure 10. Furthermore, by analyzing the output of the FMEA, the top failure modes are distinguished depending on the severity, concurrency, and detection rate. It is valuable to point out that the uppermost of risk priorities of failure modes requiring the severity parameter as well as occurrence rate refers to the short circuit in each of the four main components having an overstressed mechanism. Moreover, all leakages in the components such as leakage current in MOSFETs, electrolyte evaporation in capacitors and leakage inductance in inductors as well as transformers have the highest risk priorities of failure modes. This issue should be considered in order to reduce the risk by improving the design.

FMEA Results
In this paper, a new estimation of the PEMFC system using FMEA is presented by focusing on power electronics components in the power conditioner. The analysis investigates numerous potential failure modes according to the API 580 (American Petroleum Institute), JEDEC (Joint Electron Device Engineering Council), NDI (Non-Destructive Inspection), and normal cause and failure for the industry affections. Specifically, parts of each level may have some failure modes and many failure causes. The failure modes of each level, in fact, are failure causes of the higher level. In the power conditioner, the power stage is identified as the most critical subsystem, and four critical components have the highest risk of failure and damage. Furthermore, the highest RPN is for the MOSFETs and capacitors are respectively having a result of 448, 392 with the failure mode of 'high leakage current due to substrate interface' and 'electrolyte evaporation'. High leakage current failure mode having two main causes, 'high current density' and 'over-voltage' has the highest risk number for the MOSFETs. Moreover, electrolytic evaporation by the deterioration of sealant material leads to insufficient sealing for the capacitors having the highest risk number in passive components. The FMEA of all the components and calculated RPNs for the power stage are illustrated in Table 3.  According to Table 3, the highest RPNs are seen and depicted clearly in Figure 10. Furthermore, by analyzing the output of the FMEA, the top failure modes are distinguished depending on the severity, concurrency, and detection rate. It is valuable to point out that the uppermost of risk priorities of failure modes requiring the severity parameter as well as occurrence rate refers to the short circuit in each of the four main components having an overstressed mechanism. Moreover, all leakages in the components such as leakage current in MOSFETs, electrolyte evaporation in capacitors and leakage inductance in inductors as well as transformers have the highest risk priorities of failure modes. This issue should be considered in order to reduce the risk by improving the design.  Table 3.   Table 3.

Risk Analysis
Risk analysis is one of the most rational methods to identify failure modes in fuel cell systems. The risk analysis using FMEA is an approach to prioritize the potential risk according to the failure causes [28]. In this risk analysis, the MOSFET having four main failure modes, and at least two causes for each one and average RPN = 303 in the power stage have the highest risk. Additionally, the capacitor item having four main failure modes and more than ten causes and average RPN = 274 is more critical compared to the inductor item having four main failure modes and six different causes and average RPN = 176. Finally, the transformer having four main failure modes, and six main causes has an average of RPN = 163. Figure 10 illustrates three areas of critically failure modes for the crucial components of the power stage. The black color is considered for above 300 RPNs, and below 150 RPNs are colored with white. Most failure modes are in the medium range of risk, and they are shown with gray color. Extensive simulation studies, preventive control, use of diagnostic methods, predictive deployment technologies, employing visual management techniques, using sensors to distinguish failures, using preventive maintenance and developing inspection methods to identify hidden failures in the redundant items are among the recommended implementations for any of the components in the PEMFC system.

Bayesian Network
In a Bayesian analysis, the probability P(A) of the event A is formulated as a degree of belief that A will occur [29].
Bayesian network (BN) refers to Bayes rule, given the event 'B', the probability of event 'A' is [P(A|B)] where P(A) is a prior estimate, P(B|A) is a likelihood of A given B, and P(B) is the marginal probability of B [30].
In order to build a BN based on the available FMEA, following BN is suggested: In Figure 11, it is shown in an illustrative way how BN is built from the FMEA (Table 3) [31]. Finally, by merging common nodes, the BN for MOSFET is created as shown in Figure 12. The reason to choose the MOSFET is because of the results obtained from RPN. As shown in Figure 10, the first failure mode has the most significant influence on the system. The aim is to find, which failure cause has the most impact. Hugin as a tool is used for building the BN. It is considered that each node has two states, true and false.
power stage. The black color is considered for above 300 RPNs, and below 150 RPNs are colored with white. Most failure modes are in the medium range of risk, and they are shown with gray color. Extensive simulation studies, preventive control, use of diagnostic methods, predictive deployment technologies, employing visual management techniques, using sensors to distinguish failures, using preventive maintenance and developing inspection methods to identify hidden failures in the redundant items are among the recommended implementations for any of the components in the PEMFC system.

Bayesian Network
In a Bayesian analysis, the probability P(A) of the event A is formulated as a degree of belief that A will occur [29].
Bayesian network (BN) refers to Bayes rule, given the event 'B', the probability of event 'A' is [P(A|B)] where P(A) is a prior estimate, P(B|A) is a likelihood of A given B, and P(B) is the marginal probability of B [30].
In order to build a BN based on the available FMEA, following BN is suggested: In Figure 11, it is shown in an illustrative way how BN is built from the FMEA (Table 3) [31]. Finally, by merging common nodes, the BN for MOSFET is created as shown in Figure 12. The reason to choose the MOSFET is because of the results obtained from RPN. As shown in Figure 10, the first failure mode has the most significant influence on the system. The aim is to find, which failure cause has the most impact. Hugin as a tool is used for building the BN. It is considered that each node has two states, true and false.  The aim is to find the most significant failure cause in the failure of MOSFET by BN. From FMEA and Figure 10, high leakage current due to substrate interface is identified having the highest RPN which is one of the failure modes of MOSFET. Hence, MOSFET is analyzed to recognize the most important failure cause.
The process of making the BN is as follows: 1. BN is built based on Figure 11. from the FMEA in Table 3; 2. Joint failure modes and causes are merged; 3. For all failure causes two states are defined with equal probability of failure for their states: false and true; The aim is to find the most significant failure cause in the failure of MOSFET by BN. From FMEA and Figure 10, high leakage current due to substrate interface is identified having the highest RPN which is one of the failure modes of MOSFET. Hence, MOSFET is analyzed to recognize the most important failure cause.

1.
BN is built based on Figure 11. from the FMEA in Table 3; 2.
Joint failure modes and causes are merged; 3.
For all failure causes two states are defined with equal probability of failure for their states: false and true; 4.
Conditional probability tables (CPTs) are built. The maximum entropy theory is used to specify each probability of failure. Figure 13 shows two examples of conditional probability tables (CPTs). The aim is to find the most significant failure cause in the failure of MOSFET by BN. From FMEA and Figure 10, high leakage current due to substrate interface is identified having the highest RPN which is one of the failure modes of MOSFET. Hence, MOSFET is analyzed to recognize the most important failure cause.
The process of making the BN is as follows: 1. BN is built based on Figure 11. from the FMEA in Table 3; 2. Joint failure modes and causes are merged; 3. For all failure causes two states are defined with equal probability of failure for their states: false and true; 4. Conditional probability tables (CPTs) are built. The maximum entropy theory is used to specify each probability of failure. Figure 13 shows two examples of conditional probability tables (CPTs). The importance analysis is carried out by assigning each failure cause as false or fail to find the probability of failure of the MOSFET. Figure 14 shows high temperature as an example of one of the failure causes. The importance analysis is carried out by assigning each failure cause as false or fail to find the probability of failure of the MOSFET. Figure 14 shows high temperature as an example of one of the failure causes. Effect of each failure cause to MOSFET is calculated by the proposed BN. Table 4 compares failure causes in the MOSFET.  Effect of each failure cause to MOSFET is calculated by the proposed BN. Table 4 compares failure causes in the MOSFET. Comparing all failure causes effects on MOSFET failure shows that high temperature and overvoltage are the most important failure causes in MOSFET.

Conclusions
This study proposes a system engineering approach using FMEA for the risk analysis of the power conditioner in a PEMFC system. The highest RPNs correspond to the failure modes in three components, including high leakage current due to the substrate interface of the MOSFET, current and electrolytic evaporation of capacitor, and thereby short circuit, loss of gate control, and increased leakage current due to gate oxide of the MOSFET. Electronic components have a wide range of failure modes. The MOSFETs, capacitors, chokes, and transformers are the critical components of the power stage, which should be carefully considered in the development and implementation stage. In general, short circuit, open circuit, and leakage current are considered as the most important failure modes in the power supply system. Consequently, using a comprehensive FMEA analysis especially by using an extensive P-diagram, failure analysis, and its effects is studied in order to have a better understanding of the system in comparison with the available literature. Finally, BN is used to analyze the most critical failure causes among more important items identified from the FMEA, MOSFET and capacitor. The reason to use BN is that it was difficult to find RPNs of each failure cause, so the BN is implemented by two states of true and false or in other words failure and success to find the most critical failure cause. High temperature and overvoltage are ascertained utilizing BN. Knowing this fact will help designers to pay more attention on material properties to avoid failure causing by high temperature and overvoltage.