robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

. Tuesday night edit

Browse Source
This commit is contained in:
Robin Clark 2010-11-23 19:22:43 +00:00
parent aa9e2b010b
commit 2590d5b496
2 changed files with 71 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fmmd_concept/fmmd_concept.tex
View File

@ -413,7 +413,7 @@ based on hueristics or field data.
Because we have statistics for each component failure mode, Because we have statistics for each component failure mode,
we can now now classify these in terms of safe and dangerous lambda values. we can now now classify these in terms of safe and dangerous lambda values.
Detectable failure probabilities are labelled `$\lambda_D$' (for Detectable failure probabilities are labelled `$\lambda_D$' (for
dangerous) and `$\lambda_S$' (for safe) \cite{EN61508}. dangerous) and `$\lambda_S$' (for safe) \cite{en61508}.
\paragraph{Determine Detectable and Undetectable Failures.} \paragraph{Determine Detectable and Undetectable Failures.}
Each safe and dangerous failure mode is now Each safe and dangerous failure mode is now
@ -504,6 +504,8 @@ become stricter for each SIL level.
Thus FMEDA uses statistical methods to determine Thus FMEDA uses statistical methods to determine
a safety level (SIL), typically used to meet an acceptable risk a safety level (SIL), typically used to meet an acceptable risk
value, specified for the environment the SYSTEM must work in. value, specified for the environment the SYSTEM must work in.
EN61508 defines in general terms,
risk assessment and required SIL levels \cite{en61508} [5 Annex A].
%the probability of %the probability of
%failures occurring, and provide an adaquate risk level. %failures occurring, and provide an adaquate risk level.

79
fmmd_design_aide/fmmd_design_aide.tex
View File

@ -56,6 +56,10 @@ are the symptoms of the {\fg} we derived it from.
The symptoms will be detectable (like a value of of range) The symptoms will be detectable (like a value of of range)
or undetectable (like a logic state or value being incorrect). or undetectable (like a logic state or value being incorrect).
The `undetectable' failure modes are the most worrying for the safety critical designer. The `undetectable' failure modes are the most worrying for the safety critical designer.
EN61058, the statistically based European Norm, using ratios
of detected and undetected system failure modes to
classify the safety level \cite{EN61508}.
%It is these that are, generally the ones that stand out as single %It is these that are, generally the ones that stand out as single
%failure modes. %failure modes.
For instance, out of range values, are easy to detect by For instance, out of range values, are easy to detect by
@ -117,17 +121,38 @@ We then analsye the {\fg} and the resultant {\dc} failure modes/symptoms are dis
\subsection{Brief Circuit Description} \subsection{Brief Circuit Description}
This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$). This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$)
\footnote{The resistors used to program the gain of the op-amp would typically be of a $ \le 1\%$ guaranteed
tolerance. In practise, the small variations would be corrected with software constants prorgammed during production
test/calibration.}.
An offset is applied to the input by R18 and R22 forming a potential divider An offset is applied to the input by R18 and R22 forming a potential divider
of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$. of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$.
So the amplified offset is $\approx 342 \, mV$. We can determine the output of the amplifier This amplified offset
can be termed a $\Delta V$, an addition to the mV value provided by the sensor.
So the amplified offset is $\approx 342 \, mV$.
We can determine the output of the amplifier
by subtracting this amount from the reading. We can also define an acceptable by subtracting this amount from the reading. We can also define an acceptable
range for the readings. This would depend on the characteristics of milli-volt source, and also on the range for the readings. This would depend on the characteristics of milli-volt source, and also on the
thresholds of the volatges considered out of range. For the sake of example let us thresholds of the volatges considered out of range. For the sake of example let us
consider this to be a type K thermocouple amplifier, with a range of temperatures consider this to be a type K thermocouple amplifier, with a range of temperatures
expected to be within {{0}\oc} and {{300}\oc}. expected to be within {{0}\oc} and {{300}\oc}.
EXPAND \paragraph{Voltage range for {{0}\oc} to {{300}\oc}.}
Choosing the common Nickel-Chromium v. Nickel Aluminium `K' type thermocouple,
{{0}\oc} provides an EMF of 0mV, and {{300}\oc} 12.207.
Multiplying these by 184 and adding the 1.86mV offset gives
342.24mV and 2563.12mV. This is now in a suitable range to be read by
an analogue didtital converter, which will have a voltage span
typically between 3.3V and 5V on modern microcontrollers/ADC (Analogue Digital Converter) chips.
Note that this also leaves a margin or error on both sides of the range.
If the thermocouple were to become colder than {{0}\oc} it would supply
a negative voltage, which would subtract from the offset.
At around {{-47}\oc} the amplifier output would be zero;
but anything under 342.24mV is considered out of range.
Thus the ADC can comfortably read out of range values
but controlling software can determine it as invalid.
Similarly anything over 2563.12mV would be considered out of range
but would be still within comfortable reading range for an ADC.
\section{FMMD Analysis} \section{FMMD Analysis}
@ -179,6 +204,8 @@ we can represent this in an FMMD hierarchy diagram, see figure \ref{fig:mvamp_fm
The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable
error, that of a low reading due to the loss of the offset millivolt signal. error, that of a low reading due to the loss of the offset millivolt signal.
The loss of the $\Delta V$ would mean an incorrect temperature
reading would be made.
Typically this type of circuit would be used to read a thermocouple Typically this type of circuit would be used to read a thermocouple
and this error symptom, `low\_reading' would mean our plant could and this error symptom, `low\_reading' would mean our plant could
beleive that the temperature reading is lower than it actually is. beleive that the temperature reading is lower than it actually is.
@ -379,9 +406,9 @@ group w.r.t the failure modes in the two derived compoennts.
\label{fig:testable_mvamp} \label{fig:testable_mvamp}
\end{figure} \end{figure}
\subsection{Analysis of FMMD Derived component `added safety milli-volt amp'} \subsection{Analysis of FMMD Derived component `testable milli-volt amp'}
The failure mode of most concern is the the `low~reading'. This has two potential The failure mode of most concern is the undetectable failure `low~reading'. This has two potential
causes in the unmodified circuit, R22\_SHORT and R18\_OPEN. causes in the unmodified circuit, R22\_SHORT and R18\_OPEN.
\paragraph{R22\_SHORT with safety addition} \paragraph{R22\_SHORT with safety addition}
@ -411,6 +438,31 @@ giving an out of range reading from the op-amp output.
We can group `low~reading' with `out~of~range'. We can group `low~reading' with `out~of~range'.
The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state. The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state.
\begin{table}[h+]
\caption{Testable Milli Volt Amplifier Single Fault FMMD} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l|c||}
\hline \hline
\textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\
\textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
TC:1 $testcircuit$ & open potential divider & Out of range & XX 1.38 \\ \hline
\hline
TC:2 $testcircuit$ & no test effect & no test effect & XX 1.38 \\ \hline
\hline
TC:3 $mvamp$ & out of range & Out of Range & XX 1.38 \\
\hline
TC:4 $mvamp$ & low reading & Out of range \& no test effect & XX 1.38 \\
\hline
\end{tabular}
\label{tab:fmmdaide2}
\end{table}
We now have two symptoms, `out~of~range' or `no~test~effect'. So for single component failures We now have two symptoms, `out~of~range' or `no~test~effect'. So for single component failures
we now have a circuit where there are no undetectable failure modes. we now have a circuit where there are no undetectable failure modes.
@ -423,12 +475,17 @@ We can surmise the symptoms in a list.
\section{conclusions} \section{conclusions}
With safety addition reliability GOES DOWN ! With safety addition the undetectable failure mode of \textbf{low~reading}
But safety goes UP ! disappears. The overall reliability though goes down !
Work it out This is simply because we have more components that {\em can} fail.
Yes so we now have aditional failure modesso the reliability %% Safety vs. reliability paradox.
of the `self testing' circuit is lower than the basic one.
The sum of the MTTF's for the original circuit is DAH, and for the new one
DAH. The circuit is arguably safer now
but statistically less reliable.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%