robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CH5 JMC PR

Browse Source
This commit is contained in:
Robin Clark 2012-06-09 11:41:12 +01:00
parent a2cb418d9f
commit 0c9874cf42
2 changed files with 333 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
submission_thesis/CH4_FMMD/copy.tex
View File

@ -473,7 +473,8 @@ to balance them against the positive input, giving the voltage gain ($G_v$)
defined by $ G_v = 1 + \frac{R2}{R1} $ at the output. defined by $ G_v = 1 + \frac{R2}{R1} $ at the output.
\subsection{Potential Divider.}
\label{subsec:potdiv}
As the resistors work to provide a specific function, that of a potential divider, As the resistors work to provide a specific function, that of a potential divider,
we can treat them as a functional group. This functional group has two members, $R1$ and $R2$. we can treat them as a functional group. This functional group has two members, $R1$ and $R2$.
Using the EN298 specification for resistor failure~\cite{en298}[App.A], Using the EN298 specification for resistor failure~\cite{en298}[App.A],
@ -552,7 +553,7 @@ gives a high voltage output.%We can now consider the {\fg}
\vbox{ \vbox{
From table \ref{tbl:pdfmea} we can see that the resistor From table \ref{tbl:pdfmea} we can see that the resistor
failures modes lead to some common symptoms. failures modes lead to some common symptoms.
By drawing directed edges, from the failure modes to the symptoms By drawing directed edges from the failure modes to the symptoms,
we can show the relationships between the component failure modes and resultant symptoms. we can show the relationships between the component failure modes and resultant symptoms.
%The {\fg} can now be considered a derived component. %The {\fg} can now be considered a derived component.
This is represented in the DAG in figure \ref{fig:fg1adag}. This is represented in the DAG in figure \ref{fig:fg1adag}.
@ -943,9 +944,10 @@ System & A product designed to
Base Component & An atomic building block used at the lowest level of an FMMD model Base Component & An atomic building block used at the lowest level of an FMMD model.
\footnote{In the case of combinatorial packaged parts (such as a chip containing % \footnote{In the case of combinatorial packaged parts (such as a chip containing
four op-amps, each op-amp on the chip is considered as one atomic, or {\em{\bc}}).}. % four op-amps, each op-amp on the chip is considered as one atomic, or {\em{\bc}}).}. %% where did this footnote GO????
% seems like its a bug in TeX 04JUN2012
\\ \\
{\em Constraint} & This object must have a defined set of failure~modes. \\ \hline {\em Constraint} & This object must have a defined set of failure~modes. \\ \hline
@ -1007,6 +1009,7 @@ This definition of a `part' is useful, but consider parts, such as quad packag
% %
Here we have four op-amps on one chip. For FMEA we would consider each op-amp in the package Here we have four op-amps on one chip. For FMEA we would consider each op-amp in the package
as a separate building block for a circuit. as a separate building block for a circuit.
% CAN WE FIND SUPPORT FOR THIS IN LITERATURE???
% %
We, in fact, need to go a little further than the above definition of a part, We, in fact, need to go a little further than the above definition of a part,
and say that we want to define an atomic entity. % used as a building block. and say that we want to define an atomic entity. % used as a building block.
@ -1045,13 +1048,13 @@ This is now used as an example to describe terms used in FMMD.
% %
For instance a stereo amplifier separate/slave is a component. For instance a stereo amplifier separate/slave is a component.
%The %The
whole sound system, consists perhaps of the following `components': whole sound system consists perhaps of the following `components':
CD-player, tuner, amplifier~separate, loudspeakers and ipod~interface. CD-player, tuner, amplifier~separate, loudspeakers and ipod~interface.
%Thinking like this is a top~down analysis approach %Thinking like this is a top~down analysis approach
%and is the way in which FTA\cite{nucfta} analyses a System %and is the way in which FTA\cite{nucfta} analyses a System
%and breaks it down. %and breaks it down.
\paragraph{ {\fgs} and components.} \paragraph{ Functional Groupings and Components.} % {\fgs} and components.}
Components can be composed of `components', recursively down to Components can be composed of `components', recursively down to
the {\bcs}. the {\bcs}.
% %
@ -1067,7 +1070,7 @@ and this could have been caused by a number of {\textbf{the CD players internal
%no matter what has happened to it or has gone wrong inside it. %no matter what has happened to it or has gone wrong inside it.
% %
Using the reasoning that working from the bottom up forces the consideration of all possible Using the reasoning that working from the bottom up forces the consideration of all possible
component failures (which can be missed in a top~down approach \cite{faa}[Ch.9]) component failures (which can be missed in a top~down approach \cite{faa}[Ch.9]),
we are presented with a problem. Which initial collections of base components should we choose? we are presented with a problem. Which initial collections of base components should we choose?
% %
For instance in the CD~player example; if we start at the bottom, we are presented with For instance in the CD~player example; if we start at the bottom, we are presented with
@ -1110,9 +1113,12 @@ the symptoms of failure of the {\fg} are the failure modes of this new `{\dc}'.
%\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD %\footnote{Microchip sources give an FIT of 4 for their PIC18 series micro~controllers\cite{microchip}, The DOD
%1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component} %1991 reliability manual\cite{mil1991} applies a FIT of 100 for this generic type of component}
Electrical components have detailed data-sheets associated with them. A useful extension of this could Electrical components have detailed data-sheets associated with them. The data sheets
be failure modes of the component, with environmental factors and MTTF~\cite{sccs}[p.165] statistics. supply detailed information on the component as supplied by the manufacturer.
Currently this sort of failure mode information is generally only available for generic component types \cite{mil1991}. They rarely clearly detail the
failure modes of the component, with environmental factors and MTTF~\cite{sccs}[p.165] statistics.
Given the growing useage of FMEA/FMEDA in industry this may change.
Currently, failure mode information is generally only available for generic component types~\cite{mil1991, fmd91}.
@ -1178,9 +1184,9 @@ each failure mode is referenced back to only one component. This constraint is d
%Controlled products are typically built using a large number of components and these are traditionally %Controlled products are typically built using a large number of components and these are traditionally
%kept in a `parts~list'. %kept in a `parts~list'.
% %
For a safety critical product this is usually a formal document %For a safety critical product this is usually a formal document
and is used for ordering systems from third parties, and by quality inspectors %and is used for ordering systems from third parties, and by quality inspectors
to ensure the correct parts are being fitted. %to ensure the correct parts are being fitted.
%The parts list is shown for completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification and testing would want to know where it lies in the model. %The parts list is shown for completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification and testing would want to know where it lies in the model.
%The parts list is not actively used in the FMMD method, but is shown in the UML model for completeness. %The parts list is not actively used in the FMMD method, but is shown in the UML model for completeness.
% %
@ -1215,7 +1221,7 @@ When modularising failure mode behaviour from the bottom up, it is more meaningf
\section{Failure Modes in depth} \section{Failure Modes in depth}
FMEA appraisals of systems we begin with {\bcs}~\cite{en298}~\cite{bfmea}~\cite{en61508}. %To perform FMEA appraisals we begin with {\bcs}~\cite{en298}~\cite{bfmea}~\cite{en61508}.
%These will have a set of failure modes assigned to them. %These will have a set of failure modes assigned to them.
In order to perform FMEA we require a set of failure modes for each {\bc} in the system under investigation. In order to perform FMEA we require a set of failure modes for each {\bc} in the system under investigation.
% %
@ -1263,7 +1269,7 @@ to determine which faults are the highest priority to fix~\cite{bfmea}.
% %
The aim of FMMD analysis is to produce complete failure The aim of FMMD analysis is to produce complete failure
models of safety critical systems from the bottom-up, models of safety critical systems from the bottom-up,
starting, where possible with known base~component failure~modes. starting where possible with known base~component failure~modes.
An advantage of working from the bottom up is that we can ensure that An advantage of working from the bottom up is that we can ensure that
all component failure modes must be considered. all component failure modes must be considered.
@ -1311,8 +1317,8 @@ Each of these failure modes, and optionally combinations of them, are
formed into `test~cases' which are formed into `test~cases' which are
analysed for their effect on the failure mode behaviour of the `{\fg}'. analysed for their effect on the failure mode behaviour of the `{\fg}'.
% %
Once we have the failure mode behaviour of the {\fg}, we can determine a the symptoms of failure Once we have the failure mode behaviour of the {\fg}, we can determine its symptoms of failure.
for the {\fg}. %for the {\fg}.
% %
We could term these symptoms the derived failure modes of the `{\fg}'. We could term these symptoms the derived failure modes of the `{\fg}'.
% %
@ -1323,16 +1329,16 @@ with its own set of failure modes.
\subsection{From functional group to newly derived component} \subsection{From functional group to newly derived component}
\label{fg} \label{fg}
The process for taking a {\fg}, analysing its failure mode behaviour considering The process for taking a {\fg}, analysing its failure mode behaviour, considering
all the failure modes of all the components in the group, all the failure modes of all the components in the group
and collecting symptoms of failure, is termed `symptom abstraction'. and collecting symptoms of failure, is termed `symptom abstraction'.
% %
This This
is dealt with in detail using an algorithmic description, in section \ref{sec:algorithmfmmd}. is dealt with in detail using an algorithmic description, in appendix \ref{sec:algorithmfmmd}.
% define difference between a \fg and a \dc % define difference between a \fg and a \dc
A {\fg} is a collection of components, a {\dc} is a new `theoretical' A {\fg} is a collection of components. A {\dc} is a new `theoretical'
component which has a set of failure modes, component which has a set of failure modes,
corresponding to the failure symptoms from the {\fg} from which it was derived. corresponding to the failure symptoms from the {\fg} from which it was derived.
% %
@ -1386,12 +1392,12 @@ components, {\dcs} may be used to form {\fgs}.
Consider the hierarchy from the example in figure~\ref{fig:dc2}. Consider the hierarchy from the example in figure~\ref{fig:dc2}.
The lowest level in this hierarchy are the {\bcs}, the resistors and the op-amp. The lowest level in this hierarchy are the {\bcs}, the resistors and the op-amp.
% %
The resistors are collected into a {\fg}, and the ${PD}$ derived component is created above them. The resistors are collected into a {\fg}, and the ${PD}$ derived component created from its analysis, is shown above the {\fg}.
% %
As this derived component inherits the properties of a component, we may use As this derived component inherits the properties of a component, we may use
it in {\fg} higher in the hierarchy. it in {\fg} higher in the hierarchy.
% %
The $PD$ derived component is now placed into a functional group The $PD$ derived component is now placed into a {\fg}
with the op-amp. with the op-amp.
% %
This {\fg} is now analysed and a {\dc} created to This {\fg} is now analysed and a {\dc} created to
@ -1475,7 +1481,7 @@ where they fit into the data structure.
A system will be expected to perform in a given environment. A system will be expected to perform in a given environment.
% %
Environment in the context of this study Environment in the context of this study
means external influences under which the System could be expected to work.% under. means external influences under which the System could be expected to work. % under.
% %
A typical data sheet for an electrical component will give A typical data sheet for an electrical component will give
a working temperature range, for instance. a working temperature range, for instance.
@ -1524,6 +1530,7 @@ Functional groupings by definition implement functionality, or purpose, and ther
operational states.% with. operational states.% with.
\paragraph{Inhibit Conditions.} \paragraph{Inhibit Conditions.}
A third data class may be required if modelling of inhibit conditions~\cite{nasatfa}[p.40] is desired.
Some failure modes may only be active given specific environmental conditions Some failure modes may only be active given specific environmental conditions
or when other failures are already active. or when other failures are already active.
To model this, an `inhibit' class has been added. To model this, an `inhibit' class has been added.

573
submission_thesis/CH5_Examples/copy.tex
View File

@ -15,66 +15,88 @@ This chapter demonstrates FMMD applied to
a variety of common electronic circuits including analogue/digital and electronics/software hybrids. a variety of common electronic circuits including analogue/digital and electronics/software hybrids.
In order to implement FMMD in practise, we review the basic concepts and processes of the methodology. In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.
\section{Basic Concepts Of FMMD}
The %idea The first section~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs} in the context of the standards
driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis. we are conforming to for our particular project.
Traditional FMEA takes part failure modes and then determines what effect each of these
failure modes could have on the system under investigation.
Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes, We then have example FMMD analyses, the first looks at the inverting amplifier (see section~\ref{sec:invamp} using
involves what we could term a large `reasoning~distance'; that is to say an op-amp and two resistors, which demonstrates how the potential divider from
in a complex system, taking a particular failure mode, of a particular {\bc} ~\ref{sec:chap4} can be re-used, but with provisos.
and then trying to predict the outcome in the context of an entire system, is
a leap~of~faith.
%
There will be numerous possibilities of effects and side effects on
other components in the system; more than is practically possible to rigorously examine.
To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
Fortunately most real-world designs take a modular approach. In Electronics Section~\ref{sec:twoopdiff} shows FMMD tackling a circuit where two op-amps are used
for instance, commonly used configurations of parts are used to create to create a differencing amplifier. Re-use of the potential divider model is discussed in the context of this circuit.
amplifiers, filters, potential dividers etc.
%It is therefore natural to collect parts to form functional groups.
It is common design practise in electronics, to use collections of parts in specific configurations
to form well-defined and well-known building blocks.
These commonly used configurations of parts, or {\fgs}, will
also have a specific failure mode behaviour.
We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
When we have done this we can treat this {\fg} as a component in its own right. Section~\ref{sec:sallenkey} analyese a sallen-key low pass filter.
% This demonstrates FMMD being able to re-use the second order low pass structures
If we term {\bcs} as the components we start analysis with and components we have determined saving time for the analyst.
from functional groups as derived components, we can modularise the FMEA process.
%
If we start building {\fgs} from derived components we can start to build a modular
hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts. Section~\ref{sec:bubba} shows FMMD tackling a circuit with a circular signal path.
%and with their failure modes.
% It is worth defining clearly the term part here. Section~\ref{sec:sigmadelta} shows FMMD tackling a circuit with mixed analogue and digital electronics.
% Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
% ``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''. Finally section~\ref{sec:pt100} demonstrates both statistical analysis for top level events
% In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'. and the analysis of double simultaneous failure modes.
% Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
% \section{Basic Concepts Of FMMD}
% %
% The %idea
% driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
% Traditional FMEA takes part failure modes and then determines what effect each of these
% failure modes could have on the system under investigation.
% %
% Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes,
% involves what we could term a large `reasoning~distance'; that is to say
% in a complex system, taking a particular failure mode, of a particular {\bc}
% and then trying to predict the outcome in the context of an entire system, is
% a leap~of~faith.
% %
% There will be numerous possibilities of effects and side effects on
% other components in the system; more than is practically possible to rigorously examine.
% To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
% oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
% %
% \paragraph {Definitions: for practical FMMD analysis} % Fortunately most real-world designs take a modular approach. In Electronics
% for instance, commonly used configurations of parts are used to create
% amplifiers, filters, potential dividers etc.
% %It is therefore natural to collect parts to form functional groups.
% It is common design practise in electronics, to use collections of parts in specific configurations
% to form well-defined and well-known building blocks.
% These commonly used configurations of parts, or {\fgs}, will
% also have a specific failure mode behaviour.
% We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
%
% When we have done this we can treat this {\fg} as a component in its own right.
% %
% If we term {\bcs} as the components we start analysis with and components we have determined
% from functional groups as derived components, we can modularise the FMEA process.
% %
% If we start building {\fgs} from derived components we can start to build a modular
% hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
% allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
%
% As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts.
% %and with their failure modes.
% % It is worth defining clearly the term part here.
% % Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
% % ``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''.
% % In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'.
% % Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
% %
% %
% %
% % \paragraph {Definitions: for practical FMMD analysis}
% %
% % \begin{itemize}
% % \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
% % \item {\fm} - failure mode - the ways in which a component can fail
% % \item {\fg} - a collection of components chosen to perform a particular task
% % \item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
% % \item {\dc} - a new component derived from an analysed {\fg}
% % \end{itemize}
% %
% \begin{itemize}
% \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
% \item {\fm} - failure mode - the ways in which a component can fail
% \item {\fg} - a collection of components chosen to perform a particular task
% \item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
% \item {\dc} - a new component derived from an analysed {\fg}
% \end{itemize}
\section{Determining the failure modes of components}
\subsection{Determining the failure modes of components}
\label{sec:determine_fms} \label{sec:determine_fms}
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail. In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124].
@ -105,7 +127,7 @@ FMD-91 entries need, in some cases, some interpretation to be mapped to a clear
component {\fms} suitable for use in FMEA. component {\fms} suitable for use in FMEA.
% %
A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for
component types but does not detail specific failure modes. component types, but does not detail specific failure modes.
% %
Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes
of component types. of component types.
@ -135,7 +157,7 @@ the two sources of information define their failure mode behaviour.
We look at the reasons why some known failure modes % are omitted, or presented in We look at the reasons why some known failure modes % are omitted, or presented in
%specific but unintuitive ways. %specific but unintuitive ways.
%We compare the US. military published failure mode specifications wi %We compare the US. military published failure mode specifications wi
can be found in one source but not in the other and vice versa. can be found in one source but not in the others and vice versa.
Finally we compare and contrast the failure modes determined for these components Finally we compare and contrast the failure modes determined for these components
from the FMD-91 reference source and from the guidelines of the from the FMD-91 reference source and from the guidelines of the
@ -376,7 +398,7 @@ $$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures. The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
The FMD-91 entires for op-amps are not directly usable as The FMD-91 entries for op-amps are not directly usable as
component {\fms} in FMEA or FMMD and require interpretation. component {\fms} in FMEA or FMMD and require interpretation.
%For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$) %For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$)
@ -417,204 +439,204 @@ component {\fms} in FMEA or FMMD and require interpretation.
\section{ FMMD overview} % \section{ FMMD overview}
%
In the next sections we apply FMMD to example electronic circuits, analogue/digital and electronic/software hybrids. % In the next sections we apply FMMD to electronic circuits, analogue/digital and electronic/software hybrids.
The basic principles of FMMD are presented here for clarity. % The basic principles of FMMD are presented here for clarity.
%
\paragraph{ Creating a fault hierarchy.} % \paragraph{ Creating a fault hierarchy.}
The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc} % The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc}
level up to the top, or system level, with analysis stages between each % level up to the top, or system level, with analysis stages between each
transition to a higher level in the hierarchy. % transition to a higher level in the hierarchy.
%
%
The first stage is to choose % The first stage is to choose
{\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components. % {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components.
%These parts all have associated fault modes. A module is a set fault~modes. % %These parts all have associated fault modes. A module is a set fault~modes.
From the point of view of failure analysis, % From the point of view of failure analysis,
we are not interested in the components themselves, but in the ways in which they can fail. % we are not interested in the components themselves, but in the ways in which they can fail.
%
A {\fg} is a collection of components that perform some simple task or function. % A {\fg} is a collection of components that perform some simple task or function.
% % %
In order to determine how a {\fg} can fail, % In order to determine how a {\fg} can fail,
we need to consider all the failure modes of all its components. % we need to consider all the failure modes of all its components.
% % %
By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes, % By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes,
we can determine its symptoms of failure. % we can determine its symptoms of failure.
%In fact we can call these % %In fact we can call these
%the symptoms of failure for the {\fg}. % %the symptoms of failure for the {\fg}.
%
With these symptoms (a set of derived faults from the perspective of the {\fg}) % With these symptoms (a set of derived faults from the perspective of the {\fg})
we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways. % we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways.
% % %
In other words we have taken a {\fg}, and analysed how % In other words, we have taken a {\fg} and analysed how
\textbf{it} can fail according to the failure modes of its components, and then % \textbf{it} can fail according to the failure modes of its components, and then can
determined the {\fg} failure modes. % determine the {\fg} failure modes.
%
\paragraph{Creating a derived component.} % \paragraph{Creating a derived component.}
We create a new `{\dc}' which has % We create a new `{\dc}' which has
the failure symptoms of the {\fg} from which it was derived, as its set of failure modes. % the failure symptoms of the {\fg} from which it was derived, as its set of failure modes.
This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}. % This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}.
% % %
\paragraph{An example of a {\dc}.} % \paragraph{An example of a {\dc}.}
To give an example of this, we could look at the components that % To give an example of this, we could look at the components that
form, say an amplifier. We look at how all the components within it % form, say an amplifier. We look at how all the components within it
could fail and how that would affect the amplifier. % could fail and how that would affect the amplifier.
% % %
The ways in which the amplifier can be affected are its symptoms. % The ways in which the amplifier can be affected are its symptoms.
% % %
When we have determined the symptoms, we can % When we have determined the symptoms, we can
create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). % create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
We can now treat $AMP1$ as a pre-analysed, higher level component. % We can now treat $AMP1$ as a pre-analysed, higher level component.
%The amplifier is an abstract concept, in terms of the components. % %The amplifier is an abstract concept, in terms of the components.
To a make an `amplifier' we have to connect a a group of components % To a make an `amplifier' we have to connect a group of components
in a specific configuration. This specific configuration corresponds to % in a specific configuration. This specific configuration corresponds to
a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}. % a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
%
%
%What this means is the `fault~symptoms' of the module have been derived. % %What this means is the `fault~symptoms' of the module have been derived.
% % %
%When we have determined the fault~modes at the module level these can become a set of derived faults. % %When we have determined the fault~modes at the module level these can become a set of derived faults.
%By taking sets of derived faults (module level faults) we can combine these to form modules % %By taking sets of derived faults (module level faults) we can combine these to form modules
%at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way, % %at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
%to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed % %to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
%as parts, parts which may now be combined to create new functional groups, % %as parts, parts which may now be combined to create new functional groups,
%but as parts at a higher level of fault abstraction. % %but as parts at a higher level of fault abstraction.
\paragraph{Building the Hierarchy.} % \paragraph{Building the Hierarchy.}
We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}. % We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}.
We can bring {\dcs} % We can bring {\dcs}
together to form functional groups and then create new {\dcs} % together to form functional groups and then create new {\dcs}
at even higher abstraction levels. Eventually we will have a hierarchy % at even higher abstraction levels. Eventually we will have a hierarchy
that converges to one top level {\dc}. At this stage we have a complete failure % that converges to one top level {\dc}. At this stage we have a complete failure
mode model of the system under investigation. % mode model of the system under investigation.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
\caption{FMMD Hierarchy showing ascending abstraction levels}
\label{fig:treeabslev}
\end{figure}
Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
is shown as a `$\derivec$' symbol.
% \section{Example Analysis: Non-Inverting OPAMP}
% Consider a non inverting op-amp designed to amplify
% a small positive voltage (typical use would be a thermocouple amplifier
% taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts).
% %
% % \begin{figure}[h]
% \begin{figure}[h+]
% \centering % \centering
% \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png} % \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 % % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
% \label{fig:mvampcircuit} % \caption{FMMD Hierarchy showing ascending abstraction levels}
% \caption{positive mV amplifier circuit} % \label{fig:treeabslev}
% \end{figure} % \end{figure}
% %
% We can begin by looking for functional groups. % Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
% The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider. % is shown as a `$\derivec$' symbol.
% So we can examine $\{ R1, R2 \}$ as a {\fg}.
%
%
% \subsection{The Resistor in terms of failure modes}
%
% We can now determine how the resistors can fail.
% We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}).
% %, i.e.
% %$ fm(R) = \{ OPEN, SHORT \} . $
%
% We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$.
%
%
% We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider.
% We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}).
%
%
% \subsection{Analysing a potential divider in terms of failure modes}
%
% \label{potdivfmmd}
% %
% %
% %
% \begin{figure}[h+] % % \section{Example Analysis: Non-Inverting OPAMP}
% \centering % % Consider a non inverting op-amp designed to amplify
% \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png} % % a small positive voltage (typical use would be a thermocouple amplifier
% % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 % % taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts).
% \label{fig:pdcircuit} % %
% \caption{Potential Divider Circuit} % %
% \end{figure} % % \begin{figure}[h+]
% % % \centering
% % % \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png}
% \begin{table}[h+] % % % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143
% \caption{Potential Divider: Single failure analysis} % % \label{fig:mvampcircuit}
% \begin{tabular}{|| l | l | c | c | l ||} \hline % % \caption{positive mV amplifier circuit}
% \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ % % \end{figure}
% \hline % %
% FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ % % We can begin by looking for functional groups.
% FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline % % The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider.
% FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ % % So we can examine $\{ R1, R2 \}$ as a {\fg}.
% FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline % %
% \hline % %
% \end{tabular} % % \subsection{The Resistor in terms of failure modes}
% \label{tbl:pd} % %
% \end{table} % % We can now determine how the resistors can fail.
% % % We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}).
% We can now create a {\dc} for the potential divider, $PD$. % % %, i.e.
% % % %$ fm(R) = \{ OPEN, SHORT \} . $
% $$ fm(PD) = \{ PDLow, PDHigh \}$$ % %
% % % We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$.
% %Let us now consider the op-amp. According to % %
% %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: % %
% %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). % % We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider.
% % % We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}).
% % %
% \subsection{Analysing the non-inverting amplifier in terms of failure modes} % %
% % % \subsection{Analysing a potential divider in terms of failure modes}
% From section~\ref{sec:opamp_fms}
% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
%
%
% We can now form a {\fg} with $PD$ and $OPAMP$.
%
% \begin{figure}
% \centering
% \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png}
% % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369
% \label{fig:invampanalysis}
% \end{figure}
%
%
%
%
% \begin{table}[h+]
% \caption{NIAMP: Single failure analysis}
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\
% \hline
% FS1: PD HIGH & & $LOW$ & & $Low$ \\
% FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline
% FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\
% FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\
% FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\
% FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline
%
% \hline
% \end{tabular}
% \label{tbl:pd}
% \end{table}
%
% We can collect symptoms from the analysis and create a derived component
% to represent the non-inverting amplifier $NI\_AMP$.
% We can now express the failure mode behaviour of this type of amplifier thus:
%
% $$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$
%
% %
% %
% % \label{potdivfmmd}
% %
% %
% %
% % \begin{figure}[h+]
% % \centering
% % \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png}
% % % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241
% % \label{fig:pdcircuit}
% % \caption{Potential Divider Circuit}
% % \end{figure}
% %
% %
% % \begin{table}[h+]
% % \caption{Potential Divider: Single failure analysis}
% % \begin{tabular}{|| l | l | c | c | l ||} \hline
% % \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\
% % \hline
% % FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\
% % FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
% % FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\
% % FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline
% % \hline
% % \end{tabular}
% % \label{tbl:pd}
% % \end{table}
% %
% % We can now create a {\dc} for the potential divider, $PD$.
% %
% % $$ fm(PD) = \{ PDLow, PDHigh \}$$
% %
% % %Let us now consider the op-amp. According to
% % %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
% % %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
% %
% %
% % \subsection{Analysing the non-inverting amplifier in terms of failure modes}
% %
% % From section~\ref{sec:opamp_fms}
% % $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
% %
% %
% % We can now form a {\fg} with $PD$ and $OPAMP$.
% %
% % \begin{figure}
% % \centering
% % \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png}
% % % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369
% % \label{fig:invampanalysis}
% % \end{figure}
% %
% %
% %
% %
% % \begin{table}[h+]
% % \caption{NIAMP: Single failure analysis}
% % \begin{tabular}{|| l | l | c | c | l ||} \hline
% % \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\
% % \hline
% % FS1: PD HIGH & & $LOW$ & & $Low$ \\
% % FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline
% % FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\
% % FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\
% % FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\
% % FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline
% %
% % \hline
% % \end{tabular}
% % \label{tbl:pd}
% % \end{table}
% %
% % We can collect symptoms from the analysis and create a derived component
% % to represent the non-inverting amplifier $NI\_AMP$.
% % We can now express the failure mode behaviour of this type of amplifier thus:
% %
% % $$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$
% %
% %
\clearpage \clearpage
\section{Example Analysis: Inverting OPAMP} \section{Example Analysis: Inverting OPAMP}
@ -638,7 +660,7 @@ Both approaches are followed in the next two sub-sections.
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative. We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'. We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
If we can refine the operational states of the functional group, we can obtain clearer If we can refine the operational states of the functional group, we can obtain clearer
symptoms. symptoms.
@ -683,7 +705,7 @@ We can now form a {\fg} from the OP-AMP and the $INVPD$
\end{table} \end{table}
This gives the same results as the analysis from figure~\ref{fig:invampanalysis}. %%This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
@ -758,7 +780,8 @@ and from this we obtain a {\dc} (INVPD).
We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD. We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD.
The second analysis (3 components) has to look at the effects of each failure mode of each resistor The second analysis (3 components) has to look at the effects of each failure mode of each resistor
on the op-amp circuit. This is more to think about---or in other words an increase in the complexity of the analysis---than comparing the two known failure modes on the op-amp circuit. This means more work for the analyst---or in other words an increase in the complexity of the analysis---than
simply comparing the two known failure modes
from the pre-analysed inverted potential divider. The complexity comparison figures from the pre-analysed inverted potential divider. The complexity comparison figures
bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
and for the second analysis a CC of $8.(3-2)=16$. and for the second analysis a CC of $8.(3-2)=16$.
@ -776,7 +799,7 @@ and for the second analysis a CC of $8.(3-2)=16$.
%obtain $OUT OF RANGE$ instead. %obtain $OUT OF RANGE$ instead.
\clearpage \clearpage
\section{Op-Amp circuit 1} \section{Differencing Amplifier using two op-amps}
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -789,12 +812,15 @@ and for the second analysis a CC of $8.(3-2)=16$.
The circuit in figure~\ref{fig:circuit1} amplifies the difference between The circuit in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$. the input voltages $+V1$ and $+V2$.
The circuit is configured so that both inputs use the non-inverting, and thus high impedance inputs, meaning that they will not
electrically over-load/influence
the sensors used for measurement.
It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$. It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit. We begin by identifying functional groups from the components in the circuit.
\subsection{Functional Group: Potential Divider} \subsection{Functional Group: Potential Divider}
For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{potdivfmmd}. For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{subsec:potdiv}.
%R1 and R2 perform as a potential divider. %R1 and R2 perform as a potential divider.
%Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A). %Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A).
@ -994,7 +1020,7 @@ when it becomes a V2 follower).
\centering \centering
\includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png} \includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png}
% circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145 % circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145
\caption{Directed Acyclic Graph of Circuit1 failure modes} \caption{Directed Acyclic Graph of the two op-amp differencing amplifier failure modes}
\label{fig:circuit1_dag} \label{fig:circuit1_dag}
\end{figure} \end{figure}
@ -1009,7 +1035,7 @@ to periodically switch in test signals in place of the input signal.}
. .
\clearpage \clearpage
\section{Op-Amp circuit 2} \section{Five Pole Low Pass Filer, using two Sallen~Key stages.}
\begin{figure}[h] \begin{figure}[h]
@ -1028,7 +1054,8 @@ Starting at the input, we have a first order low pass filter buffered by an op-a
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267] second order lowpass filter. the output of this is passed to a Sallen~Key~\cite{aoe}[p.267] second order lowpass filter.
The output of this is passed into another Sallen~Key filter -- which although it may have different values The output of this is passed into another Sallen~Key filter -- which although it may have different values
for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective. for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use the results. Thus we can analyse the first Sallen~Key low pass filter and re-use the results for the second stage
avoiding the repeat work that would be performed using traditional FMEA.
\begin{figure}[h] \begin{figure}[h]
@ -1267,9 +1294,9 @@ $FivePoleLP$ and applying the $fm$ function to it (see table~\ref{tbl:fivepole})
\pagebreak[4] \pagebreak[4]
The failure modes for the low pass filters are very similar, and the propogation of the signal The failure modes for the low pass filters are very similar, and the propagation of the signal
is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) -- is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) --
three op-amp driven non-inverting low pass filter elements; It is not suprising therefore that they have very similar failure modes. three op-amp driven non-inverting low pass filter elements. It is not surprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$ From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ may be less observable. could be easily detected; the failure symptom $FilterIncorrect$ may be less observable.
@ -1474,7 +1501,7 @@ of $468$ failure modes to check against components.
However, the analysis here appears top-heavy; we should be able to refine the model more However, the analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully
this should lead a further reduction in the complexity comparison figure. this should lead a further reduction in the complexity comparison figure.
By de-creasing the size of the modules with further refinement, By decreasing the size of the modules with further refinement,
we may also discover new derived components that may be of use for other analyses in the future. we may also discover new derived components that may be of use for other analyses in the future.
@ -1864,7 +1891,7 @@ The potential divider provides a mid rail reference voltage
to the inverting input of IC3. to the inverting input of IC3.
\paragraph{Potential divider Formed by R3,R4.} \paragraph{Potential divider Formed by R3,R4.}
We re-use the analysis from table~\ref{tbl:pdfmea}, and used the derived component $PD$ We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$
to represent the potential divider formed by R3 and R4. Because PD is a derived component, we can denote this to represent the potential divider formed by R3 and R4. Because PD is a derived component, we can denote this
by super-scripting it with its abstraction level of 1, thus $PD^1$. by super-scripting it with its abstraction level of 1, thus $PD^1$.
$$ $$
@ -2231,7 +2258,7 @@ drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor and not the voltage across the thermistor and current supply wire resistance.}. the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages} \paragraph{Calculating Temperature from the sense line voltages}
@ -2281,10 +2308,10 @@ Where this occurs a circuit re-design is probably the only sensible course of ac
\fmodegloss \fmodegloss
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} \paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
\label{fmea} \label{fmea}
The PTt00 circuit consists of three resistors, two `current~supply' The Pt00 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires. wires and two `sensor' wires.
Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A] Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A]
, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, , are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
@ -2297,14 +2324,14 @@ $R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone \ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault. in the diagram, we consider this a fault.
Should the reading be above its expected range this is a `High Fault' Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'. and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section \ref{ptbounds}. determine out of range voltage limits in section~\ref{sec:ptbounds}.
\begin{table}[ht] \begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table \caption{Pt100 FMEA Single Faults} % title of Table
@ -2416,13 +2443,14 @@ will detect it.
\paragraph{Consideration of Resistor Tolerance.} \paragraph{Consideration of Resistor Tolerance.}
% %
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by to having to pass any significant current. The current is supplied altered by having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative. out by considering the voltage reading over $R_3$ to be relative.
% %
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one we measure current over) should also One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
% %
@ -2545,7 +2573,7 @@ read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis} \subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range. resistor faults : Voltage out of range.
@ -2553,7 +2581,7 @@ A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range, In practical use, by defining an acceptable measurement/temperature range,
and ensuring the and ensuring the
values are always within these bounds we can be confident that none of the values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed. resistors in this circuit has failed.
\ifthenelse{\boolean{pld}} \ifthenelse{\boolean{pld}}
@ -2609,9 +2637,9 @@ in hours for a wide range of generic components
\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F \footnote{These figures are based on components from the 1980's and MIL-HDBK-217F
can give conservative reliability figures when applied to can give conservative reliability figures when applied to
modern components}. modern components}.
%
Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor
failure statistics we calculate the reliability of this circuit. failure statistics, we calculate the reliability of this circuit.
\paragraph{Resistor FIT Calculations} \paragraph{Resistor FIT Calculations}
@ -2874,13 +2902,13 @@ $$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \fra
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ $$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double) As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit. The next task is to investigate in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
\paragraph{Proof of Double Faults Hypothesis } %\paragraph{Proof of Double Faults Hypothesis}
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } \paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{Pt100:bothfloating} \label{Pt100:bothfloating}
@ -2889,10 +2917,11 @@ Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be. We cannot know what the {\adctw} readings on them will be.
% %
In practise these would probably float to low values In practise these would probably float to low values
but for the purpose of a safety critical analysis but for the purpose of a safety critical analysis,
all we can say is the values are `floating' and `unknown'. all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault that must be handled. fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{unobservability}.
%that must be handled.
\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } \paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT }