robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

polish polish

Browse Source
This commit is contained in:
Robin Clark 2013-09-26 16:41:29 +01:00
parent ea92956ec8
commit 35078d32b8
2 changed files with 245 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

362
submission_thesis/CH5_Examples/copy.tex
View File

@ -159,14 +159,14 @@ and analysed as such; see table~\ref{tbl:pdneg}.
% Potential divider failure modes % Potential divider failure modes
% %
\node[symptom] (PDHIGH) at (\layersep*2,-0.5) {$IPD_{HIGH}$}; \node[symptom] (IPDHIGH) at (\layersep*2,-0.5) {$IPD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-2.4) {$IPD_{LOW}$}; \node[symptom] (IPDLOW) at (\layersep*2,-2.4) {$IPD_{LOW}$};
\path (R1OPEN) edge (PDLOW); \path (R1OPEN) edge (IPDLOW);
\path (R2SHORT) edge (PDLOW); \path (R2SHORT) edge (IPDLOW);
\path (R2OPEN) edge (PDHIGH); \path (R2OPEN) edge (IPDHIGH);
\path (R1SHORT) edge (PDHIGH); \path (R1SHORT) edge (IPDHIGH);
\end{tikzpicture} \end{tikzpicture}
% %
@ -176,7 +176,10 @@ and analysed as such; see table~\ref{tbl:pdneg}.
% %
% %
A {\dc} can be formed from the analysis results in table~\ref{tbl:pdneg} %this, A {\dc} can be formed from the analysis results in table~\ref{tbl:pdneg} %this,
and called an inverted potential divider ($IPD$). and called an inverted potential divider ($IPD$) with the following failure modes:
$$ fm ( IPD ) = \{ IPDHIGH, IPDLOW \} $$
%\clearpage
% %
The final stage of analysis for this amplifier, is made by The final stage of analysis for this amplifier, is made by
by forming a {\fg} with the OpAmp and the new {\dc} $IPD$. by forming a {\fg} with the OpAmp and the new {\dc} $IPD$.
@ -325,10 +328,10 @@ to traverse from system level or top failure modes to base component failure mod
\label{subsec:invamp2} \label{subsec:invamp2}
% %
The problem above is analysed without using an intermediate $IPD$ In this second approach the inverting amplifier is analysed without using an intermediate $IPD$
derived component. derived component.
% %
If the input voltage was not constrained to being positive this one stage analysis would be necessary. If the input voltage was not constrained to being positive this `one~stage' analysis would be necessary.
% %
% %
This concern is re-visited in the differencing amplifier example in the next section. This concern is re-visited in the differencing amplifier example in the next section.
@ -377,10 +380,14 @@ This concern is re-visited in the differencing amplifier example in the next sec
\label{tbl:invamp} \label{tbl:invamp}
\end{table} \end{table}
Collecting the symptoms of failure from table~\ref{tbl:invamp} a {\dc}, $INVAMP$, is formed where:
$$ fm(INVAMP) = \{ LOW, HIGH, LOWPASS\} .$$
%\clearpage %\clearpage
\subsection{Comparison between the two approaches} \subsection{Comparison between the two approaches}
\label{sec:invampcc} \label{sec:invampcc}
%
The first analysis used two FMMD stages. The first analysis used two FMMD stages.
% %
The first stage analysed an inverted potential divider %, analyses its failure modes, The first stage analysed an inverted potential divider %, analyses its failure modes,
@ -405,7 +412,8 @@ All FMEA is performed in the context of the environment and functionality of the
under analysis. under analysis.
This example shows that for the condition where the input voltage This example shows that for the condition where the input voltage
is constrained to being positive, two levels of decomposition can be applied. is constrained to being positive, two levels of decomposition can be applied.
For the unconstrained case, it is necessary to consider all three components as one larger {\fg}. For the unconstrained case, i.e. where the input could be positive or negative,
it is necessary to consider all three components as one larger {\fg}.
@ -430,7 +438,9 @@ electrically load the previous stage.
%the sensors or circuitry supplying the voltage signals used for measurement. %the sensors or circuitry supplying the voltage signals used for measurement.
Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers, Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers,
this is a useful circuit wherever a high impedance differencing amplifier is required. this is a useful circuit wherever a high impedance differencing amplifier is required.
It is a configuration that will be used in many electronic circuits. %
This is a configuration that is commonly used in electronic circuits.
%
It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$. It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
% %
Identifying {\fgs} from the components in the circuit is the starting point for analysis. Identifying {\fgs} from the components in the circuit is the starting point for analysis.
@ -621,6 +631,7 @@ The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
% %
Starting at the input, there is a first order low pass filter buffered by an op-amp, Starting at the input, there is a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter. the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter.
%
The output of this is passed into another Sallen~Key filter. % -- which although it may have different values The output of this is passed into another Sallen~Key filter. % -- which although it may have different values
%for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective. %for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
The first Sallen~Key low pass filter is analysed and then re-used The first Sallen~Key low pass filter is analysed and then re-used
@ -639,8 +650,8 @@ for the second stage
\subsection{First Order Low Pass Filter} \subsection{First Order Low Pass Filter}
\label{sec:lp} \label{sec:lp}
% WEEEE ECUNT %
Starting with the first order low pass filter formed by $R10$ and $C10$. Following the signal path from the input, the first order low pass filter formed by $R10$ and $C10$, is encountered.
% %
This configuration (or {\fg}) is very commonly This configuration (or {\fg}) is very commonly
used %in electronics used %in electronics
@ -693,15 +704,21 @@ called $FirstOrderLP$.
% %
Applying the $fm$ function yields: $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$ Applying the $fm$ function yields: $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
% %
This simple filter is not robust to circuit loading, that is, in electronics terms it has a high output impedance.
%
This means that were it to be overloaded by a subsequent stage of the circuit
its signal processing properties could be altered.
%
\subsection{Addition of Buffer Amplifier: First stage} \subsection{Addition of Buffer Amplifier: First stage}
% %
The op-amp IC1 is being used simply as a buffer. The op-amp IC1 is being used simply as a buffer.
\fmmdglossOPAMP \fmmdglossOPAMP
% %
By placing it between the stages %next stages By placing it between the stages %next stages
on the signal path the possibility of unwanted signal feedback is avoided. on the signal path the possibility of unwanted signal feedback to the low-pass filter, formed by C10 and R10, is avoided.
% %
The buffer is one of the simplest op-amp configurations. The buffer is one of the simplest op-amp configurations.
%
\fmmdglossOPAMP \fmmdglossOPAMP
% %
It has no other components, and a {\fg} is formed It has no other components, and a {\fg} is formed
@ -807,9 +824,11 @@ A derived component is created to represent the Sallen Key low pass filter, call
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal . \} $$ $$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal . \} $$
% %
% %
\subsection{A failure mode model of Op-Amp Circuit 2} \clearpage
% %
A {\dcs} representing the three stages of this filter is created following \subsection{A failure mode model of the five pole Sallen Key filter}
%
A {\dc} representing the three stages of this filter is created following
the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}). the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
% %
% %
@ -832,9 +851,11 @@ and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIV
% %
%\pagebreak[4] %\pagebreak[4]
% %
So the final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$. So the final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
% %
The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}. This is analysed in table~\ref{tbl:fivepole}.
%
The resulting FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
% %
% %
% HTR 20OCT2012 \begin{figure}[h]+ % HTR 20OCT2012 \begin{figure}[h]+
@ -904,8 +925,9 @@ The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
\clearpage \clearpage
% %
A {\dc} is created to represent the circuit in figure~\ref{fig:circuit2}, called A {\dc} is created to represent the circuit in figure~\ref{fig:circuit2}, called
$FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole}) $FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole}) yields:
yields $$fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}.$$ %
$$fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}.$$
% %
% %
%\pagebreak[4] %\pagebreak[4]
@ -1038,7 +1060,7 @@ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
% %
At this point all the {\dcs} could be collected into one large functional At this point all the {\dcs} could be collected into one large functional
group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba}) group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba})
or merged in smaller stages, which will have the side-effect of or merged in smaller stages, which would have the side-effect of
creating intermediate {\dcs}. creating intermediate {\dcs}.
% %
Initially the first identified {\fgs} are used to create the {\fm} model without further stages of refinement/hierarchy. Initially the first identified {\fgs} are used to create the {\fm} model without further stages of refinement/hierarchy.
@ -1125,7 +1147,7 @@ It should be possible to determine smaller {\fgs} and refine the model further.
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.} \paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.}
% %
The pre-analysed $NIBUFF$ and $PHS45$ The pre-analysed $NIBUFF$ and $PHS45$
{\dcs} are used to form a {\fg}, analysed in appendix~\ref{tbl:buff45}, giving the {\dcs} are used to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$. {\dc} $BUFF45$.
% %
%Thus, %Thus,
@ -1140,18 +1162,18 @@ Together these apply a $135^{\circ}$ phase shift to the signal.
This property is used to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter. This property is used to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter.
% %
The three $BUFF45$ {\dcs} form a The three $BUFF45$ {\dcs} form a
{\fg} which is analysed in appendix~\ref{tbl:phs135buffered}. {\fg} which is analysed in table~\ref{tbl:phs135buffered}.
% %
The result of this analysis is the {\dc} The result of this analysis is the {\dc}
$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter. $PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter.
% %
This is shown in the Euler diagram in figure~\ref{fig:bubbaeuler2}.
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator.} \paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator.}
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.}, A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg} form a {\fg}
providing an amplified $225^{\circ}$ phase shift, analysed in appendix~\ref{tbl:phs225amp} providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp}
resulting in the {\dc} $PHS225AMP$. resulting in the {\dc} $PHS225AMP$.
% %
Applying FMMD the {\dc} $PHS225AMP$ is created with the following failure modes: Applying FMMD the {\dc} $PHS225AMP$ is created with the following failure modes:
@ -1159,32 +1181,32 @@ $$
fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal \}. % 270\_phaseshift, fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal \}. % 270\_phaseshift,
$$ $$
% %
A final {\fg} is formed with $PHS135BUFFERED$ and $PHS225AMP$. % A final {\fg} is formed with $PHS135BUFFERED$ and $PHS225AMP$.
% % %
This {\fg} is analysed in appendix~\ref{detail:BUFF45} giving a {\dc}, $BUFF45$, which has the following failure modes: % This {\fg} is analysed in appendix~\ref{detail:BUFF45} giving a {\dc}, $BUFF45$, which has the following failure modes:
$$ % $$
fm (BUFF45) = \{ 0\_phaseshift, NO\_signal \} .% 90\_phaseshift, % fm (BUFF45) = \{ 0\_phaseshift, NO\_signal \} .% 90\_phaseshift,
$$ % $$
% % %
%$$ CC(BUFF45) = 7 \times 1 = 7 $$ % %$$ CC(BUFF45) = 7 \times 1 = 7 $$
% % %
Three $BUFF45$ {\dcs} form a {\fg}, and after FMMD analysis % Three $BUFF45$ {\dcs} form a {\fg}, and after FMMD analysis
we create a $PHS135BUFFERED$ {\dc}. % we create a $PHS135BUFFERED$ {\dc}.
% % %
The FMMD analysis table is in appendix~\ref{detail:PHS135BUFFERED}. % % The FMMD analysis table is in appendix~\ref{detail:PHS135BUFFERED}. %
% % %
% % %
% % %
%$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$ % %$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$
% % %
% % %
% % %
The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an % The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an
$INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$. % $INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
% % %
Detailed FMMD analysis may be found in appendix~\ref{detail:PHS225AMP}. % Detailed FMMD analysis may be found in appendix~\ref{detail:PHS225AMP}.
% % %
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift). % The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
% %
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator. and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator.
@ -1209,7 +1231,7 @@ $$
% This has meant a drastic reduction in the number of failure-modes to check against components. % This has meant a drastic reduction in the number of failure-modes to check against components.
%It has %also %It has %also
This more decomposed approach has This more decomposed approach has
given us five {\dcs}, %building blocks, identified five {\dcs}, %building blocks,
which could % which could %
potentially be re-used in other projects. potentially be re-used in other projects.
%potentially be re-used for similar circuitry %potentially be re-used for similar circuitry
@ -1234,17 +1256,24 @@ more reasoning stages, i.e. FMMD analysis stages with their associated analysis
% HTR of complexity comparison. % HTR of complexity comparison.
% %
\subsection{Conclusion} \subsection{Conclusion}
%
With FMMD there is always a choice for the membership of {\fgs}. With FMMD there is always a choice for the membership of {\fgs}.
%
This example has shown that the simple approach, identifying This example has shown that the simple approach, identifying
initial {\fgs} and using them to build a large {\fg} to model the circuit initial {\fgs} and using them to build a large {\fg} to model the circuit
gives a valid result. gives a valid result.
%
However, it involves a large reasoning distance, the final stage However, it involves a large reasoning distance, the final stage
having 24 failure modes to consider against each of the other seven {\dcs}. having 24 failure modes to consider against each of the other seven {\dcs}.
%
A finer grained approach produces more potentially re-usable {\dcs} and A finer grained approach produces more potentially re-usable {\dcs} and
involves several stages with lower reasoning distances. involved several stages with an overall lower reasoning distance.
%
The lower reasoning distances, or complexity comparison figures are given in the metrics chapter~\ref{sec:chap7} The lower reasoning distances, or complexity comparison figures are given in the metrics chapter~\ref{sec:chap7}
at section~\ref{sec:bubbaCC}. in section~\ref{sec:bubbaCC}.
These show that the finer grained models also benefit from lower reasoning distances for the failure mode model. %
This example demonstrates that the finer grained models
benefit from lower reasoning distances for the failure mode model.
\clearpage \clearpage
@ -1368,12 +1397,14 @@ The feedback voltage for the ADC is supplied via $R1$, this voltage is called $V
$R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided $R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided
by the capacitor C1 and the opamp IC1. by the capacitor C1 and the opamp IC1.
% %
This can be the first {\fg} and it is analysed in table~\ref{detail:SUMJINT}: %{tbl:sumjint}. This can be the first {\fg} and it is analysed in appendix~\ref{detail:SUMJINT}: %{tbl:sumjint}.
% %
$$FG = \{R1, R2, IC1, C1 \} .$$ $$FG = \{R1, R2, IC1, C1 \} .$$
% %
That is, the failure modes (see FMMD analysis at~\ref{detail:SUMJINT}) of the new {\dc} That is, the failure modes (see FMMD analysis at~\ref{detail:SUMJINT}) of the new {\dc}
$SUMJINT$ are $$\{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$ $SUMJINT$ are:
%
$$fm(SUMJINT) = \{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
% %
%\clearpage %\clearpage
% %
@ -1476,6 +1507,7 @@ These are:
\item DL2AL --- A digital to analog level converter, \item DL2AL --- A digital to analog level converter,
\item DIGBUF --- A digital one bit buffer/memory. \item DIGBUF --- A digital one bit buffer/memory.
\end{itemize} \end{itemize}
%
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}. These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
% %
These {\dcs} can now be used to create higher level {\fgs}. These {\dcs} can now be used to create higher level {\fgs}.
@ -1589,7 +1621,7 @@ The {\dc} hierarchy is shown in figure~\ref{fig:eulersdfinal}.
% The output from this is sent to the summing integrator as the signal summed with the input. % The output from this is sent to the summing integrator as the signal summed with the input.
\subsection{Conclusion} \subsection{Conclusion}
The {\sd} example, shows that FMMD can be applied to mixed digital and analogue circuitry: The {\sd} example, shows that FMMD can be applied to mixed digital and analogue circuitry:
which means the analogue/digital interface is also achieved. which means that analysis of the analogue/digital interface is achievable using FMMD.
% %
This This
leads onto interfacing to software and digital~systems in the next chapter. leads onto interfacing to software and digital~systems in the next chapter.
@ -1643,12 +1675,14 @@ industrial applications below 600\oc, due to high accuracy\cite{aoe}.
\subsection{General Description of Pt100 four wire circuit} \subsection{General Description of Pt100 four wire circuit}
%
\label{Pt100range} \label{Pt100range}
%
The Pt100 four wire circuit uses two wires to supply a small electrical current, The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two. and returns two sense voltages over the other two.
% %
By measuring voltages By measuring voltages
from sections of this circuit forming potential dividers, the from sections of this circuit, which forms potential dividers, the
resistance of the platinum wire sensor can be determined. resistance of the platinum wire sensor can be determined.
% %
%The resistance %The resistance
@ -1660,7 +1694,7 @@ resistance of the platinum wire sensor can be determined.
\centering \centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges} \caption{Pt100 expected voltage ranges for a temperature range of $0^\circ$ to $300^\circ$} centigrade
\label{fig:Pt100vrange} \label{fig:Pt100vrange}
\end{figure} \end{figure}
% %
@ -1683,17 +1717,17 @@ and the higher as {\em sense+}.
%For electronic and accuracy reasons, a four wire circuit is preferred %For electronic and accuracy reasons, a four wire circuit is preferred
%because of resistance in the cables. %because of resistance in the cables.
% %
Resistance from the supply Resistance from the supply cables
causes a slight voltage causes a slight voltage
drop in the supply to the $Pt100$. drop in the supply to the $Pt100$.
% %
As no significant current As no significant current
is carried by the two `sense' lines, the resistance back to the ADC is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire causes only a negligible voltage drop, and thus a four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across configuration is more accurate\footnote{The increased accuracy is because the voltage measured is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}. the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages} \paragraph{Calculating Temperature from the sense line voltages.}
The current flowing though the The current flowing though the
whole circuit can be measured on the PCB by reading a third whole circuit can be measured on the PCB by reading a third
@ -1706,9 +1740,9 @@ resistance is calculated by Ohms law $V=I.R$, $R=\frac{V}{I}$.
%does not impinge on accuracy. %does not impinge on accuracy.
% %
The resistance to temperature conversion is achieved The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}. through published $Pt100$ tables\cite{eurothermtables}.
% %
The standard voltage divider equations (see figure \ref{fig:vd} and Standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes. expected voltages for failure mode and temperature reading purposes.
@ -1733,7 +1767,10 @@ firstly presents an FMEA analysis which is then supported by
detail and calculations of the type that would be submitted to an approval agency. detail and calculations of the type that would be submitted to an approval agency.
% %
Detailed potential divider calculations and the effect of component tolerances Detailed potential divider calculations and the effect of component tolerances
are factored for each test case in the FMEA table~\ref{sec:singlePt100FMEA}. are factored for germane test cases.
%
The analysis is presented in the FMEA table~\ref{ptfmea}. %{sec:singlePt100FMEA}.
%
The next section~\ref{sec:Pt100d}, extends this analysis for double failure scenarios. The next section~\ref{sec:Pt100d}, extends this analysis for double failure scenarios.
%{sec:Pt100d} %{sec:Pt100d}
% This sub-section looks at the behaviour of the $Pt100$ four wire circuit % This sub-section looks at the behaviour of the $Pt100$ four wire circuit
@ -1757,15 +1794,15 @@ The next section~\ref{sec:Pt100d}, extends this analysis for double failure scen
%\label{fmea} %\label{fmea}
The Pt100 circuit consists of three resistors, two `current~supply' The Pt100 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires. wires and two `sensor' wires.
Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, Resistors, are considered to fail by either going OPEN or SHORT. % (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. %and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as %Should wires become disconnected these will have the same effect as
%given resistors going open. %given resistors going open.
For the purpose of this analyis; For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, $R_{1}$ is a \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ \ohms{2k2} connects the thermistor to ground. $R_3$ is the Pt100 thermistor and $R_{2}$, also \ohms{2k2}, connects the thermistor to ground.
The terms `High Fault' and `Low Fault' are be defined here with reference to figure The terms `High Fault' and `Low Fault' are defined here with reference to figure
\ref{fig:Pt100vrange}. \ref{fig:Pt100vrange}.
% %
Should a reading be outside the safe green zone Should a reading be outside the safe green zone
@ -1775,10 +1812,10 @@ Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'. and if below a `Low Fault'.
% %
Table~\ref{ptfmea} plays through the scenarios of each of the resistors failing Table~\ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. in both SHORT and OPEN failure modes, and hypothesises error conditions in the readings.
% %
The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs (see section~\ref{sec:ptbounds}), The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs,
and these used to validate the FMEA in table~\ref{ptfmea}. and these later used to validate the FMEA in table~\ref{ptfmea}.
\begin{table}[ht] \begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table \caption{Pt100 FMEA Single Faults} % title of Table
@ -1803,14 +1840,14 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
\label{ptfmea} \label{ptfmea}
\end{table} \end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit From table \ref{ptfmea} it can be seen that any single component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'. will cause a common symptom, that of one or more of the values being `out~of~range'.
% %
%Temperature range calculations and detailed calculations %Temperature range calculations and detailed calculations
%on the effects of each test case are found in section \ref{Pt100range} %on the effects of each test case are found in section \ref{Pt100range}
%and \ref{Pt100temp}. %and \ref{Pt100temp}.
\paragraph{Consideration of Resistor Tolerance} \paragraph{Consideration of Resistor Tolerance.}
\label{sec:resistortolerance} \label{sec:resistortolerance}
% %
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not %The separate sense lines ensure the voltage read over the Pt100 thermistor are not
@ -1827,7 +1864,7 @@ a narrow temperature range, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}} %\glossary{{PCB}{Printed Circuit Board}}
% %
To calculate the resistance of the Pt100 element % (and thus derive its temperature), To calculate the resistance of the Pt100 element % (and thus derive its temperature),
the voltage over it is read the voltage over it---i.e. $ sense+ \; - \; sense-$---is read
and with the current flowing through it, its resistance can be found. and with the current flowing through it, its resistance can be found.
%must be measured. %must be measured.
% %
@ -1850,7 +1887,9 @@ and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.}.
$Pt100$ resistors are designed to $Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
% %
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} A suitable %`wider than to be expected range'
expected temperature range
was considered to be {0\oc} to {300\oc}
for a given application. for a given application.
% %
According to the Eurotherm Pt100 According to the Eurotherm Pt100
@ -1860,27 +1899,31 @@ and \ohms{212.02} respectively.
From this the potential divider circuit can be From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined. analysed and the maximum and minimum acceptable voltages determined.
% %
These can be used as bounds results to apply the findings from the These can be used as bounds results to validate %the findings from the
Pt100 FMEA analysis in section~\ref{sec:Pt100floating}. %\ref{fmea}. the Pt100 FMEA analysis. % in section~\ref{sec:Pt100floating}. %\ref{fmea}.
% %
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings are calculated thus: the upper and lower readings are calculated thus:
% %
% %
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} ,$$ $$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} \; $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} .$$ and
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} \; .$$
% %
So by defining an acceptable measurement/temperature range, So by defining an acceptable measurement/temperature range,
and ensuring the and ensuring the
values are always within these bounds, there is confidence that none of the values are always within these bounds, there should be confidence that none of the
resistors in this circuit have failed. resistors in this circuit have failed.
% %
% %
\label{sec:ptbounds} \label{sec:ptbounds}
% %
To convert these to twelve bit ADC (\adctw) counts: To convert these to twelve bit ADC (\adctw)\footnote{An {\adctw} with a 5V Vref is assumed for this example. Raw ADC counts
would typically be used in software routines validating range/values in safety critical readings.} counts:
% %
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} , $$ $$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
%
and
% %
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
% %
@ -1890,8 +1933,7 @@ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||c|c|c|l|l||} \begin{tabular}{||c|c|c|l|l||}
\hline \hline \hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} & \textbf{Temperature} & \textbf{Pt100 resistance} & \textbf{sense-} & \textbf{sense+} & \textbf{Description} \\
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline \hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ % {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline % & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
@ -1904,8 +1946,8 @@ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
\label{ptbounds} \label{ptbounds}
\end{table} \end{table}
% %
Table~\ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that Table~\ref{ptbounds} gives ranges that determine correct operation. It will be shown that
for any single error (short or opening of any resistor) this bounds check for any single error (shorting or opening of any resistor) this bounds check
will detect it. will detect it.
% %
% %
@ -1942,34 +1984,34 @@ will detect it.
% take the mean square error of these accuracy figures~\cite{probstat}. % take the mean square error of these accuracy figures~\cite{probstat}.
% %
% %
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} \paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
% %
% %
\ifthenelse{\boolean{pld}} % % % % \ifthenelse{\boolean{pld}}
{ % % % % {
\paragraph{Single Fault Modes as PLD.} % % % % \paragraph{Single Fault Modes as PLD.}
% % % % % %
The component~failure~modes in table \ref{ptfmea} can be represented as contours % % % % The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. % % % % on a PLD diagram.
Each test case, is defined by the contours that enclose % % % % Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only % % % % it. The test cases here deal with single faults only
and are thus enclosed by one contour each. % % % % and are thus enclosed by one contour each.
\fmodegloss % % % % \fmodegloss
\begin{figure}[h] % % % % \begin{figure}[h]
\centering % % % % \centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png} % % % % \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 % % % % % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes} % % % % \caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc} % % % % \label{fig:Pt100_tc}
\end{figure} % % % % \end{figure}
} % \ifthenelse {\boolean{pld}} % % % % } % \ifthenelse {\boolean{pld}}
% %
%ating input Fault %ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
% %
To establish the valid voltage ranges for these, and knowing our To establish the valid voltage ranges for these, and knowing the
valid temperature range for this example ({0\oc} .. {300\oc}) valid temperature range for this example ({0\oc} .. {300\oc})
valid voltage reading ranges can be calculated by using the standard voltage divider equation \ref{eqn:vd} valid voltage reading ranges have been calculated by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}. for the circuit shown in figure \ref{fig:vd}.
% %
% %
@ -1978,83 +2020,101 @@ for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures.} \paragraph{Proof of Out of Range Values for Failures.}
\label{pt110range} \label{pt110range}
% %
Using the temperature ranges defined above the voltages can be compared; Using the temperature ranges defined above the voltages read can be used to verify correct operation of the circuit;
resistor failures would cause it is shown that the resistor failures, OPEN and SHORT, would cause
`out~of~range' voltages. `out~of~range' voltages.
% %
There are six test cases and each will be examined in turn. There are six test cases and each will be examined in turn.
% %
\subparagraph{ TC 1 : Voltages $R_1$ SHORT } \subparagraph{ TC 1 : Voltages $R_1$ SHORT.}
With Pt100 at 0\oc:
$$ highreading = 5V $$ Since sense+, because $R_1$ is shorted, is directly connected to the 5V rail
Since the highreading or sense+ is directly connected to the 5V rail, this will be out of range.
both temperature readings will be 5V, The sense- reading will be determined by the potential divider formed by $R2$ and $R_3$.
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$ This is calculated over the temperature range,\\
With Pt100 at the high end of the temperature range 300\oc. for $0^\circ$:
$$ highreading = 5V ,$$ $$ sense- = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V ,$$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$ and for $300^\circ$:
$$ sense- = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
% %
% With Pt100 at 0\oc:
% $$ highreading = 5V $$
% Since the highreading or sense+ is directly connected to the 5V rail,
% both temperature readings will be 5V,
% $$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$
% With Pt100 at the high end of the temperature range 300\oc.
% $$ highreading = 5V ,$$
% $$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
% %
Thus with $R_1$ shorted both readings are outside the Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}. proscribed range in table \ref{ptbounds}.
% %
\paragraph{ TC 2 : Voltages $R_1$ OPEN } \paragraph{ TC 2 : Voltages $R_1$ OPEN.}
% %
In this case the 5V rail is disconnected. All voltages read are 0V, and In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the therefore both readings are outside the
proscribed range in table \ref{ptbounds}. proscribed range in table \ref{ptbounds}.
% %
% %
\paragraph{ TC 3 : Voltages $R_2$ SHORT } \paragraph{ TC 3 : Voltages $R_2$ SHORT.}
%
This failure mode creates a potential divider formed by R1 and R3.
%
This means that the sense+ and sense- lines will have voltages on them
determined by this potential divider.
%
Since with $R_2$ shorted the sense- is directly connected to the 0V rail,
the sense- reading will be out of range.
%
For sense+ voltages must be calculated over
the extremes of the acceptable temperature range, and it must be ensured that
these voltages could not lead to false readings.
% %
With Pt100 at 0\oc: With Pt100 at 0\oc:
$$ lowreading = 0V .$$ $$ sense+ = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V,
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$
With Pt100 at the high end of the temperature range 300\oc , With Pt100 at the high end of the temperature range 300\oc ,
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$ $$ sense+ = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$
% %
Thus with $R_2$ shorted both readings are outside the Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}. proscribed range in table \ref{ptbounds}.
% %
\paragraph{ TC 4 : Voltages $R_2$ OPEN } \paragraph{ TC 4 : Voltages $R_2$ OPEN.}
Here there is no potential divider operating and both sense lines Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range. will read 5V, outside of the proscribed range.
% %
% %
\paragraph{ TC 5 : Voltages $R_3$ SHORT } \paragraph{ TC 5 : Voltages $R_3$ SHORT.}
% %
Here the potential divider is simply between Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal; the two 2k2 load resistors. Thus it will read a nominal 2.5V.
2.5V.
% %
Because the readings here depend on the values of resistors $R_1$ and $R_2$ Because the readings here depend on the values of resistors $R_1$ and $R_2$
resistor tolerance must be considered. resistor tolerance must be considered.
% %
Assuming the load resistors are fairly typical in terms of precision Assuming the load resistors are fairly typical in terms of precision;
precision, taking an absolute worst case of 1\% either way: taking a worst case of 1\% either way:
% %
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V ,$$ $$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
and
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V \; . $$
% %
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V .$$ These readings both lie outside the proscribed ranges.
%
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value. Also the sense+ and sense- readings would have the same value.
% %
\paragraph{ TC 6 : Voltages $R_3$ OPEN } \paragraph{ TC 6 : Voltages $R_3$ OPEN.}
% %
Here the potential divider is broken. The sense- will read 0V and the sense+ will Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range. read 5V. Both readings are outside the proscribed range.
% %
\subsection{Summary of Analysis} \subsection{Summary of Analysis}
% %
All six test cases have been analysed and the results agree with the FMEA All six test cases have been examined and where necessary voltages calculated for the failure conditions.
presented in table~\ref{ptfmea}. %
%The PLD diagram, can now be used to collect the symptoms. The results agree with the FMEA presented in table~\ref{ptfmea}.
In this case there is a common and easily detected symptom for all these single %
For this circuit there is a common and easily detected symptom for all these single
resistor faults---that of---`voltage~out~of~range'. resistor faults---that of---`voltage~out~of~range'.
% %
% A spider can be drawn on the PLD diagram to this effect.
% %
In practical use, by defining an acceptable measurement/temperature range, In practical use, by defining an acceptable measurement/temperature range,
and ensuring the and ensuring the
@ -2073,15 +2133,15 @@ resistors in this circuit have failed.
} }
% %
% %
\subsection{Derived Component with one failure mode.} \subsection{Derived Component $Pt100$ analysed for single failure modes.}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE} i.e.: {\textbf OUT\_OF\_RANGE} i.e.:
$$ fm(Pt100) = \{ {OUT\_OF\_RANGE} \} . $$ $$ fm(Pt100) = \{ {OUT\_OF\_RANGE} \} . $$
This is a single, detectable failure mode. The detectability of a This is a single, detectable failure mode. The detectability of
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$ fault conditions is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement. has been developed for safety critical temperature measurement.
% %
\ifthenelse{\boolean{pld}} \ifthenelse{\boolean{pld}}
@ -2248,7 +2308,7 @@ Both values will be out of range.
% %
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT.} \paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT.}
% %
This shorts the sense+ and sense- to Vcc. This shorts the sense+ and sense- to ground.
Both values will be out of range. Both values will be out of range.
% %
%\clearpage %\clearpage

56
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -144,8 +144,7 @@ called functions and variables/inputs are the components of a function,
a modular and hierarchical failure mode model a modular and hierarchical failure mode model
from existing software can be built. from existing software can be built.
% %
Thus for FMMD applied to software, a violation of a pre-condition is considered to be Thus for FMMD applied to software, a violation of a pre-condition is considered to be equivalent to a failure mode of `one of its components'.
equivalent a failure mode of `one of its components'.
\paragraph{Mapping contract `post-condition' violations to symptoms.} \paragraph{Mapping contract `post-condition' violations to symptoms.}
@ -155,9 +154,9 @@ A post-condition is a definition of correct behaviour of a function.
% %
A violated post-condition is a symptom of failure, or, in FMMD terms a derived failure mode, for a function. A violated post-condition is a symptom of failure, or, in FMMD terms a derived failure mode, for a function.
% %
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function. Post conditions could relate to either actions performed (i.e. the state of hardware changed) or an output value of a function.
In pure contract programming, a violation of a pre-condition would cause the function to %
\textbf{not} be executed. In pure contract programming, a violation of a pre-condition would cause the function to \textbf{not} be executed.
% %
In implementation code, a pre-condition violation should cause In implementation code, a pre-condition violation should cause
an error to be generated, and thus a post-condition to fail. an error to be generated, and thus a post-condition to fail.
@ -277,7 +276,7 @@ i.e. both a pre-condition and a postcondition;
for the system to be operating correctly the voltage should be within the above bounds. for the system to be operating correctly the voltage should be within the above bounds.
% %
The software function that performs a conversion from the voltage read to The software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current is now discussed. a per~mil representation of the {\ft} input is now discussed.
% %
For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used. For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used.
% %
@ -286,6 +285,17 @@ differentiate it from other type of variables (data types or pointers).
% %
In this document this format is borrowed, hence the C~language In this document this format is borrowed, hence the C~language
function called `main' will be presented as \cf{main}. function called `main' will be presented as \cf{main}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% 26SEP2013 addition %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
The function \cf{read\_4\_20\_input} takes a floating point value for the voltage read,
checks that it is within bounds, and then applies a conversion to a per-mil
value which it returns via a pointer. The source code is presented in figure~\ref{fig:code_read_4_20_input}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% 26SEP2013 addition %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%
% %
A function \cf{read\_ADC} is assumed that returns a floating point %double precision A function \cf{read\_ADC} is assumed that returns a floating point %double precision
value which represents the voltage read (see code sample in figure~\ref{fig:code_read_4_20_input}). value which represents the voltage read (see code sample in figure~\ref{fig:code_read_4_20_input}).
@ -428,8 +438,8 @@ FMMD is now applied, from the bottom-up, starting with the hardware.
This {\fg}, $G_1$, contains the load resistor This {\fg}, $G_1$, contains the load resistor
and the physical Analogue to Digital Converter (ADC). and the physical Analogue to Digital Converter (ADC).
% %
$G_1$ is thus the set of base components: $G_1 = \{R, ADC\}.$ $G_1$ is thus a set of base components: $G_1 = \{R, ADC\}.$
It is therefore a hardware only {\fg}. It is a hardware only {\fg}.
% %
%We now determine the {\fms} of all the components in $G_1$. %We now determine the {\fms} of all the components in $G_1$.
@ -499,7 +509,7 @@ the failure modes for the new {\dc} are: %we state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$ $$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$
% %
% %
\paragraph{Software and hardware hybrid {\fg} --- RADC} \paragraph{Software and hardware hybrid {\fg} --- RADC.}
\label{sec:readadc} \label{sec:readadc}
\label{readADC} \label{readADC}
The software function \cf{Read\_ADC} uses the ADC hardware analysed The software function \cf{Read\_ADC} uses the ADC hardware analysed
@ -529,15 +539,15 @@ This validates the supply voltage to the ADC.
This is common practise for safety critical readings when using an ADC.}. This is common practise for safety critical readings when using an ADC.}.
% %
Taken as a component for use in FMEA/FMMD the function has Taken as a component for use in FMEA/FMMD the function has
two failure modes. Therefore it can be treated as a generic component, $Read\_ADC$, two failure modes. Therefore it can be treated as a generic component, $\cf{Read\_ADC}$,
by stating: by stating:
% %
$$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$ $$ fm(\cf{Read\_ADC}) = \{ CHAN\_NO, VREF \} $$
% %
With the failure mode model for our function, it is used in conjunction With the failure mode model for our function, it is used in conjunction
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$. with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMATV, \cf{Read\_ADC} \}$.
% %
This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combined {\fg}. This {\fg} is analysed in table~\ref{tbl:radc}. %{ hardware/software combined {\fg}.
% %
% %
{ {
@ -560,7 +570,7 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine
& wrong channel & \\ \hline & wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline 5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
6: post-condition fails & software fails & $VV\_ERR$ \\ 6: post-condition fails & software fails & $VV\_ERR$ \\
& C function: Read\_ADC & \\ & C function: \cf{Read\_ADC} & \\
\hline \hline
\hline \hline
\end{tabular} \end{tabular}
@ -572,7 +582,7 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine
The common symptoms of failure from table~\ref{tbl:radc} are collected giving The common symptoms of failure from table~\ref{tbl:radc} are collected giving
$\{ VV\_ERR, HIGH, LOW \}$. Any violations of postconditions for software functions in the {\fg} $G_2$ must be added to this set. $\{ VV\_ERR, HIGH, LOW \}$. Any violations of postconditions for software functions in the {\fg} $G_2$ must be added to this set.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */}, This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */},
corresponds to $VV\_ERR$, and happens to already be in the {\fm} set for this {\fg}. causes the symptom $VV\_ERR$, which happens to already be in the {\fm} set for this {\fg}.
% %
%We can now create a {\dc} called $RADC$ thus: $$RADC = \; \derivec(G_2)$$ which has the following %We can now create a {\dc} called $RADC$ thus: $$RADC = \; \derivec(G_2)$$ which has the following
%{\fms}: %{\fms}:
@ -580,6 +590,7 @@ A {\dc} called $RADC$ is created with failure modes of:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$ $$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
% %
% %
This {\dc} is a hybrid of software and hardware, and is an example of a hardware interface modelled by FMMD.
% %
% %
% %
@ -598,17 +609,17 @@ to determine its {\fms}.
% %
Its one pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}. Its one pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
% %
This violation of the pre-condition can become the {\fm} VRNGE (an acronym for Voltage Range); %As this function has one pre-condition A violation of this pre-condition can become the {\fm} VRNGE (an acronym for Voltage Range); %As this function has one pre-condition
we state, we state,
% %
$ fm(read\_4\_20\_input) = \{ RI_{VRNGE} \} .$ $ fm(\cf{read\_4\_20\_input}) = \{ RI_{VRNGE} \} .$
To this we add the post-condition, {\em ensure: value is proportional (0-999) to the {\ft} input}, To this we add the post-condition, {\em ensure: value is proportional (0-999) to the {\ft} input},
which can be termed $VAL\_ERR$: the failure modes for \cf{read\_4\_20\_input} are now defined as: which can be termed $VAL\_ERR$: the failure modes for \cf{read\_4\_20\_input} are now defined as:
$$ fm(read\_4\_20\_input) = \{ RI_{VRNGE}, RI_{VAL\_ERR} \} .$$ $$ fm(\cf{read\_4\_20\_input}) = \{ RI_{VRNGE}, RI_{VAL\_ERR} \} .$$
% %
\fmmdglossCONTRACTPROG \fmmdglossCONTRACTPROG
A {\fg}, $G_3$, is formed with the {\dc} $RADC$ and the A {\fg}, $G_3$, is formed with the {\dc} $RADC$ and the
software component \cf{read\_4\_20\_input}, i.e. $G_3 = \{read\_4\_20\_input, RADC\} $. software component \cf{read\_4\_20\_input}, i.e. $G_3 = \{\cf{read\_4\_20\_input}, RADC\} $.
% %
{ {
\tiny \tiny
@ -651,8 +662,8 @@ The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
% 4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes. % 4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group} % \paragraph{Final Functional Group}
For single failures these are the two ways in which this function For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ condition will be flagged by the error flag variable. can fail. An $OUT\_OF\_RANGE$ condition will be flagged by the error flag variable, a detectable {\fm}.
The $VAL\_ERR$ will simply mean that the value read is incorrect: an undetectable The $VAL\_ERR$ will simply mean that the value read is incorrect: an undetectable {\fm}
and therefore undesirable condition. and therefore undesirable condition.
% %
Finally a {\dc} is created to represent a failure mode model for our Finally a {\dc} is created to represent a failure mode model for our
@ -743,7 +754,8 @@ the MUX is very demanding, separate pull down test lines may be implemented on t
% %
A software specification for a hardware interface will typically concentrate on data formats, A software specification for a hardware interface will typically concentrate on data formats,
how to interpret raw readings, or what digital signals to apply for actuators~\cite{sfmeainterface}. how to interpret raw readings, or what digital signals to apply for actuators~\cite{sfmeainterface}.
Using FMMD the process naturally determines a failure model for the interface. % as well~\cite{sfmeainterface}. %
Using FMMD the process naturally determines a failure model for the hardware/software interface. % as well~\cite{sfmeainterface}.
\\ \\
\\ \\
The {\ft} example above is based on the paper presented to System Safety in 2012~\cite{syssafe2012}. The {\ft} example above is based on the paper presented to System Safety in 2012~\cite{syssafe2012}.