robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

polish polish

Browse Source
This commit is contained in:
Robin Clark 2013-09-26 16:41:29 +01:00
parent ea92956ec8
commit 35078d32b8
2 changed files with 245 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

360
submission_thesis/CH5_Examples/copy.tex
View File

@ -159,14 +159,14 @@ and analysed as such; see table~\ref{tbl:pdneg}.
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-0.5) {$IPD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-2.4) {$IPD_{LOW}$};
\node[symptom] (IPDHIGH) at (\layersep*2,-0.5) {$IPD_{HIGH}$};
\node[symptom] (IPDLOW) at (\layersep*2,-2.4) {$IPD_{LOW}$};
\path (R1OPEN) edge (PDLOW);
\path (R2SHORT) edge (PDLOW);
\path (R1OPEN) edge (IPDLOW);
\path (R2SHORT) edge (IPDLOW);
\path (R2OPEN) edge (PDHIGH);
\path (R1SHORT) edge (PDHIGH);
\path (R2OPEN) edge (IPDHIGH);
\path (R1SHORT) edge (IPDHIGH);
\end{tikzpicture}
%
@ -176,7 +176,10 @@ and analysed as such; see table~\ref{tbl:pdneg}.
%
%
A {\dc} can be formed from the analysis results in table~\ref{tbl:pdneg} %this,
and called an inverted potential divider ($IPD$).
and called an inverted potential divider ($IPD$) with the following failure modes:
$$ fm ( IPD ) = \{ IPDHIGH, IPDLOW \} $$
%\clearpage
%
The final stage of analysis for this amplifier, is made by
by forming a {\fg} with the OpAmp and the new {\dc} $IPD$.
@ -325,10 +328,10 @@ to traverse from system level or top failure modes to base component failure mod
\label{subsec:invamp2}
%
The problem above is analysed without using an intermediate $IPD$
In this second approach the inverting amplifier is analysed without using an intermediate $IPD$
derived component.
%
If the input voltage was not constrained to being positive this one stage analysis would be necessary.
If the input voltage was not constrained to being positive this `one~stage' analysis would be necessary.
%
%
This concern is re-visited in the differencing amplifier example in the next section.
@ -377,10 +380,14 @@ This concern is re-visited in the differencing amplifier example in the next sec
\label{tbl:invamp}
\end{table}
Collecting the symptoms of failure from table~\ref{tbl:invamp} a {\dc}, $INVAMP$, is formed where:
$$ fm(INVAMP) = \{ LOW, HIGH, LOWPASS\} .$$
%\clearpage
\subsection{Comparison between the two approaches}
\label{sec:invampcc}
%
The first analysis used two FMMD stages.
%
The first stage analysed an inverted potential divider %, analyses its failure modes,
@ -405,7 +412,8 @@ All FMEA is performed in the context of the environment and functionality of the
under analysis.
This example shows that for the condition where the input voltage
is constrained to being positive, two levels of decomposition can be applied.
For the unconstrained case, it is necessary to consider all three components as one larger {\fg}.
For the unconstrained case, i.e. where the input could be positive or negative,
it is necessary to consider all three components as one larger {\fg}.
@ -430,7 +438,9 @@ electrically load the previous stage.
%the sensors or circuitry supplying the voltage signals used for measurement.
Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers,
this is a useful circuit wherever a high impedance differencing amplifier is required.
It is a configuration that will be used in many electronic circuits.
%
This is a configuration that is commonly used in electronic circuits.
%
It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
%
Identifying {\fgs} from the components in the circuit is the starting point for analysis.
@ -621,6 +631,7 @@ The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
%
Starting at the input, there is a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter.
%
The output of this is passed into another Sallen~Key filter. % -- which although it may have different values
%for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
The first Sallen~Key low pass filter is analysed and then re-used
@ -639,8 +650,8 @@ for the second stage
\subsection{First Order Low Pass Filter}
\label{sec:lp}
% WEEEE ECUNT
Starting with the first order low pass filter formed by $R10$ and $C10$.
%
Following the signal path from the input, the first order low pass filter formed by $R10$ and $C10$, is encountered.
%
This configuration (or {\fg}) is very commonly
used %in electronics
@ -693,15 +704,21 @@ called $FirstOrderLP$.
%
Applying the $fm$ function yields: $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
%
This simple filter is not robust to circuit loading, that is, in electronics terms it has a high output impedance.
%
This means that were it to be overloaded by a subsequent stage of the circuit
its signal processing properties could be altered.
%
\subsection{Addition of Buffer Amplifier: First stage}
%
The op-amp IC1 is being used simply as a buffer.
\fmmdglossOPAMP
%
By placing it between the stages %next stages
on the signal path the possibility of unwanted signal feedback is avoided.
on the signal path the possibility of unwanted signal feedback to the low-pass filter, formed by C10 and R10, is avoided.
%
The buffer is one of the simplest op-amp configurations.
%
\fmmdglossOPAMP
%
It has no other components, and a {\fg} is formed
@ -807,9 +824,11 @@ A derived component is created to represent the Sallen Key low pass filter, call
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal . \} $$
%
%
\subsection{A failure mode model of Op-Amp Circuit 2}
\clearpage
%
A {\dcs} representing the three stages of this filter is created following
\subsection{A failure mode model of the five pole Sallen Key filter}
%
A {\dc} representing the three stages of this filter is created following
the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
%
%
@ -834,7 +853,9 @@ and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIV
%
So the final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
%
The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
This is analysed in table~\ref{tbl:fivepole}.
%
The resulting FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
%
%
% HTR 20OCT2012 \begin{figure}[h]+
@ -904,8 +925,9 @@ The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
\clearpage
%
A {\dc} is created to represent the circuit in figure~\ref{fig:circuit2}, called
$FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole})
yields $$fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}.$$
$FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole}) yields:
%
$$fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}.$$
%
%
%\pagebreak[4]
@ -1038,7 +1060,7 @@ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
%
At this point all the {\dcs} could be collected into one large functional
group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba})
or merged in smaller stages, which will have the side-effect of
or merged in smaller stages, which would have the side-effect of
creating intermediate {\dcs}.
%
Initially the first identified {\fgs} are used to create the {\fm} model without further stages of refinement/hierarchy.
@ -1125,7 +1147,7 @@ It should be possible to determine smaller {\fgs} and refine the model further.
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.}
%
The pre-analysed $NIBUFF$ and $PHS45$
{\dcs} are used to form a {\fg}, analysed in appendix~\ref{tbl:buff45}, giving the
{\dcs} are used to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$.
%
%Thus,
@ -1140,18 +1162,18 @@ Together these apply a $135^{\circ}$ phase shift to the signal.
This property is used to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter.
%
The three $BUFF45$ {\dcs} form a
{\fg} which is analysed in appendix~\ref{tbl:phs135buffered}.
{\fg} which is analysed in table~\ref{tbl:phs135buffered}.
%
The result of this analysis is the {\dc}
$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter.
%
This is shown in the Euler diagram in figure~\ref{fig:bubbaeuler2}.
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator.}
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg}
providing an amplified $225^{\circ}$ phase shift, analysed in appendix~\ref{tbl:phs225amp}
providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp}
resulting in the {\dc} $PHS225AMP$.
%
Applying FMMD the {\dc} $PHS225AMP$ is created with the following failure modes:
@ -1159,32 +1181,32 @@ $$
fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal \}. % 270\_phaseshift,
$$
%
A final {\fg} is formed with $PHS135BUFFERED$ and $PHS225AMP$.
%
This {\fg} is analysed in appendix~\ref{detail:BUFF45} giving a {\dc}, $BUFF45$, which has the following failure modes:
$$
fm (BUFF45) = \{ 0\_phaseshift, NO\_signal \} .% 90\_phaseshift,
$$
%
%$$ CC(BUFF45) = 7 \times 1 = 7 $$
%
Three $BUFF45$ {\dcs} form a {\fg}, and after FMMD analysis
we create a $PHS135BUFFERED$ {\dc}.
%
The FMMD analysis table is in appendix~\ref{detail:PHS135BUFFERED}. %
%
%
%
%$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$
%
%
%
The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an
$INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
%
Detailed FMMD analysis may be found in appendix~\ref{detail:PHS225AMP}.
%
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
% A final {\fg} is formed with $PHS135BUFFERED$ and $PHS225AMP$.
% %
% This {\fg} is analysed in appendix~\ref{detail:BUFF45} giving a {\dc}, $BUFF45$, which has the following failure modes:
% $$
% fm (BUFF45) = \{ 0\_phaseshift, NO\_signal \} .% 90\_phaseshift,
% $$
% %
% %$$ CC(BUFF45) = 7 \times 1 = 7 $$
% %
% Three $BUFF45$ {\dcs} form a {\fg}, and after FMMD analysis
% we create a $PHS135BUFFERED$ {\dc}.
% %
% The FMMD analysis table is in appendix~\ref{detail:PHS135BUFFERED}. %
% %
% %
% %
% %$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$
% %
% %
% %
% The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an
% $INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
% %
% Detailed FMMD analysis may be found in appendix~\ref{detail:PHS225AMP}.
% %
% The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
%
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator.
@ -1209,7 +1231,7 @@ $$
% This has meant a drastic reduction in the number of failure-modes to check against components.
%It has %also
This more decomposed approach has
given us five {\dcs}, %building blocks,
identified five {\dcs}, %building blocks,
which could %
potentially be re-used in other projects.
%potentially be re-used for similar circuitry
@ -1234,17 +1256,24 @@ more reasoning stages, i.e. FMMD analysis stages with their associated analysis
% HTR of complexity comparison.
%
\subsection{Conclusion}
%
With FMMD there is always a choice for the membership of {\fgs}.
%
This example has shown that the simple approach, identifying
initial {\fgs} and using them to build a large {\fg} to model the circuit
gives a valid result.
%
However, it involves a large reasoning distance, the final stage
having 24 failure modes to consider against each of the other seven {\dcs}.
%
A finer grained approach produces more potentially re-usable {\dcs} and
involves several stages with lower reasoning distances.
involved several stages with an overall lower reasoning distance.
%
The lower reasoning distances, or complexity comparison figures are given in the metrics chapter~\ref{sec:chap7}
at section~\ref{sec:bubbaCC}.
These show that the finer grained models also benefit from lower reasoning distances for the failure mode model.
in section~\ref{sec:bubbaCC}.
%
This example demonstrates that the finer grained models
benefit from lower reasoning distances for the failure mode model.
\clearpage
@ -1368,12 +1397,14 @@ The feedback voltage for the ADC is supplied via $R1$, this voltage is called $V
$R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided
by the capacitor C1 and the opamp IC1.
%
This can be the first {\fg} and it is analysed in table~\ref{detail:SUMJINT}: %{tbl:sumjint}.
This can be the first {\fg} and it is analysed in appendix~\ref{detail:SUMJINT}: %{tbl:sumjint}.
%
$$FG = \{R1, R2, IC1, C1 \} .$$
%
That is, the failure modes (see FMMD analysis at~\ref{detail:SUMJINT}) of the new {\dc}
$SUMJINT$ are $$\{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
$SUMJINT$ are:
%
$$fm(SUMJINT) = \{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
%
%\clearpage
%
@ -1476,6 +1507,7 @@ These are:
\item DL2AL --- A digital to analog level converter,
\item DIGBUF --- A digital one bit buffer/memory.
\end{itemize}
%
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
%
These {\dcs} can now be used to create higher level {\fgs}.
@ -1589,7 +1621,7 @@ The {\dc} hierarchy is shown in figure~\ref{fig:eulersdfinal}.
% The output from this is sent to the summing integrator as the signal summed with the input.
\subsection{Conclusion}
The {\sd} example, shows that FMMD can be applied to mixed digital and analogue circuitry:
which means the analogue/digital interface is also achieved.
which means that analysis of the analogue/digital interface is achievable using FMMD.
%
This
leads onto interfacing to software and digital~systems in the next chapter.
@ -1643,12 +1675,14 @@ industrial applications below 600\oc, due to high accuracy\cite{aoe}.
\subsection{General Description of Pt100 four wire circuit}
%
\label{Pt100range}
%
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
and returns two sense voltages over the other two.
%
By measuring voltages
from sections of this circuit forming potential dividers, the
from sections of this circuit, which forms potential dividers, the
resistance of the platinum wire sensor can be determined.
%
%The resistance
@ -1660,7 +1694,7 @@ resistance of the platinum wire sensor can be determined.
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges}
\caption{Pt100 expected voltage ranges for a temperature range of $0^\circ$ to $300^\circ$} centigrade
\label{fig:Pt100vrange}
\end{figure}
%
@ -1683,17 +1717,17 @@ and the higher as {\em sense+}.
%For electronic and accuracy reasons, a four wire circuit is preferred
%because of resistance in the cables.
%
Resistance from the supply
causes a slight voltage
Resistance from the supply cables
causes a slight voltage
drop in the supply to the $Pt100$.
%
As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
causes only a negligible voltage drop, and thus a four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages}
\paragraph{Calculating Temperature from the sense line voltages.}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
@ -1706,9 +1740,9 @@ resistance is calculated by Ohms law $V=I.R$, $R=\frac{V}{I}$.
%does not impinge on accuracy.
%
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
through published $Pt100$ tables\cite{eurothermtables}.
%
The standard voltage divider equations (see figure \ref{fig:vd} and
Standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes.
@ -1733,7 +1767,10 @@ firstly presents an FMEA analysis which is then supported by
detail and calculations of the type that would be submitted to an approval agency.
%
Detailed potential divider calculations and the effect of component tolerances
are factored for each test case in the FMEA table~\ref{sec:singlePt100FMEA}.
are factored for germane test cases.
%
The analysis is presented in the FMEA table~\ref{ptfmea}. %{sec:singlePt100FMEA}.
%
The next section~\ref{sec:Pt100d}, extends this analysis for double failure scenarios.
%{sec:Pt100d}
% This sub-section looks at the behaviour of the $Pt100$ four wire circuit
@ -1757,15 +1794,15 @@ The next section~\ref{sec:Pt100d}, extends this analysis for double failure scen
%\label{fmea}
The Pt100 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
Resistors, are considered to fail by either going OPEN or SHORT. % (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ \ohms{2k2} connects the thermistor to ground.
$R_{1}$ is a \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$, also \ohms{2k2}, connects the thermistor to ground.
The terms `High Fault' and `Low Fault' are be defined here with reference to figure
The terms `High Fault' and `Low Fault' are defined here with reference to figure
\ref{fig:Pt100vrange}.
%
Should a reading be outside the safe green zone
@ -1775,10 +1812,10 @@ Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.
%
Table~\ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
in both SHORT and OPEN failure modes, and hypothesises error conditions in the readings.
%
The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs (see section~\ref{sec:ptbounds}),
and these used to validate the FMEA in table~\ref{ptfmea}.
The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs,
and these later used to validate the FMEA in table~\ref{ptfmea}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
@ -1803,14 +1840,14 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
From table \ref{ptfmea} it can be seen that any single component failure in the circuit
will cause a common symptom, that of one or more of the values being `out~of~range'.
%
%Temperature range calculations and detailed calculations
%on the effects of each test case are found in section \ref{Pt100range}
%and \ref{Pt100temp}.
\paragraph{Consideration of Resistor Tolerance}
\paragraph{Consideration of Resistor Tolerance.}
\label{sec:resistortolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
@ -1827,7 +1864,7 @@ a narrow temperature range, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
the voltage over it is read
the voltage over it---i.e. $ sense+ \; - \; sense-$---is read
and with the current flowing through it, its resistance can be found.
%must be measured.
%
@ -1850,7 +1887,9 @@ and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.}.
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
%
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
A suitable %`wider than to be expected range'
expected temperature range
was considered to be {0\oc} to {300\oc}
for a given application.
%
According to the Eurotherm Pt100
@ -1860,27 +1899,31 @@ and \ohms{212.02} respectively.
From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
%
These can be used as bounds results to apply the findings from the
Pt100 FMEA analysis in section~\ref{sec:Pt100floating}. %\ref{fmea}.
These can be used as bounds results to validate %the findings from the
the Pt100 FMEA analysis. % in section~\ref{sec:Pt100floating}. %\ref{fmea}.
%
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings are calculated thus:
%
%
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} ,$$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} .$$
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} \; $$
and
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} \; .$$
%
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, there is confidence that none of the
values are always within these bounds, there should be confidence that none of the
resistors in this circuit have failed.
%
%
\label{sec:ptbounds}
%
To convert these to twelve bit ADC (\adctw) counts:
To convert these to twelve bit ADC (\adctw)\footnote{An {\adctw} with a 5V Vref is assumed for this example. Raw ADC counts
would typically be used in software routines validating range/values in safety critical readings.} counts:
%
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} , $$
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
%
and
%
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
%
@ -1890,8 +1933,7 @@ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\textbf{Temperature} & \textbf{Pt100 resistance} & \textbf{sense-} & \textbf{sense+} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
@ -1904,8 +1946,8 @@ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
\label{ptbounds}
\end{table}
%
Table~\ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
Table~\ref{ptbounds} gives ranges that determine correct operation. It will be shown that
for any single error (shorting or opening of any resistor) this bounds check
will detect it.
%
%
@ -1942,34 +1984,34 @@ will detect it.
% take the mean square error of these accuracy figures~\cite{probstat}.
%
%
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
%
%
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD.}
%
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}
% % % % \ifthenelse{\boolean{pld}}
% % % % {
% % % % \paragraph{Single Fault Modes as PLD.}
% % % % %
% % % % The component~failure~modes in table \ref{ptfmea} can be represented as contours
% % % % on a PLD diagram.
% % % % Each test case, is defined by the contours that enclose
% % % % it. The test cases here deal with single faults only
% % % % and are thus enclosed by one contour each.
% % % % \fmodegloss
% % % % \begin{figure}[h]
% % % % \centering
% % % % \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% % % % % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
% % % % \caption{Pt100 Component Failure Modes}
% % % % \label{fig:Pt100_tc}
% % % % \end{figure}
% % % % } % \ifthenelse {\boolean{pld}}
%
%ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
%
To establish the valid voltage ranges for these, and knowing our
To establish the valid voltage ranges for these, and knowing the
valid temperature range for this example ({0\oc} .. {300\oc})
valid voltage reading ranges can be calculated by using the standard voltage divider equation \ref{eqn:vd}
valid voltage reading ranges have been calculated by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
%
%
@ -1978,83 +2020,101 @@ for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures.}
\label{pt110range}
%
Using the temperature ranges defined above the voltages can be compared;
resistor failures would cause
Using the temperature ranges defined above the voltages read can be used to verify correct operation of the circuit;
it is shown that the resistor failures, OPEN and SHORT, would cause
`out~of~range' voltages.
%
There are six test cases and each will be examined in turn.
%
\subparagraph{ TC 1 : Voltages $R_1$ SHORT }
With Pt100 at 0\oc:
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V,
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V ,$$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
\subparagraph{ TC 1 : Voltages $R_1$ SHORT.}
Since sense+, because $R_1$ is shorted, is directly connected to the 5V rail
this will be out of range.
The sense- reading will be determined by the potential divider formed by $R2$ and $R_3$.
This is calculated over the temperature range,\\
for $0^\circ$:
$$ sense- = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V ,$$
and for $300^\circ$:
$$ sense- = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
%
% With Pt100 at 0\oc:
% $$ highreading = 5V $$
% Since the highreading or sense+ is directly connected to the 5V rail,
% both temperature readings will be 5V,
% $$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$
% With Pt100 at the high end of the temperature range 300\oc.
% $$ highreading = 5V ,$$
% $$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
% %
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
%
\paragraph{ TC 2 : Voltages $R_1$ OPEN }
\paragraph{ TC 2 : Voltages $R_1$ OPEN.}
%
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
%
%
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
\paragraph{ TC 3 : Voltages $R_2$ SHORT.}
%
This failure mode creates a potential divider formed by R1 and R3.
%
This means that the sense+ and sense- lines will have voltages on them
determined by this potential divider.
%
Since with $R_2$ shorted the sense- is directly connected to the 0V rail,
the sense- reading will be out of range.
%
For sense+ voltages must be calculated over
the extremes of the acceptable temperature range, and it must be ensured that
these voltages could not lead to false readings.
%
With Pt100 at 0\oc:
$$ lowreading = 0V .$$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V,
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$
$$ sense+ = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$
With Pt100 at the high end of the temperature range 300\oc ,
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$
$$ sense+ = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$
%
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
%
\paragraph{ TC 4 : Voltages $R_2$ OPEN }
\paragraph{ TC 4 : Voltages $R_2$ OPEN.}
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
%
%
\paragraph{ TC 5 : Voltages $R_3$ SHORT }
\paragraph{ TC 5 : Voltages $R_3$ SHORT.}
%
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
the two 2k2 load resistors. Thus it will read a nominal 2.5V.
%
Because the readings here depend on the values of resistors $R_1$ and $R_2$
resistor tolerance must be considered.
%
Assuming the load resistors are fairly typical in terms of precision
precision, taking an absolute worst case of 1\% either way:
Assuming the load resistors are fairly typical in terms of precision;
taking a worst case of 1\% either way:
%
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V ,$$
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
and
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V \; . $$
%
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V .$$
%
These readings both lie outside the proscribed range.
These readings both lie outside the proscribed ranges.
Also the sense+ and sense- readings would have the same value.
%
\paragraph{ TC 6 : Voltages $R_3$ OPEN }
\paragraph{ TC 6 : Voltages $R_3$ OPEN.}
%
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
%
\subsection{Summary of Analysis}
%
All six test cases have been analysed and the results agree with the FMEA
presented in table~\ref{ptfmea}.
%The PLD diagram, can now be used to collect the symptoms.
In this case there is a common and easily detected symptom for all these single
All six test cases have been examined and where necessary voltages calculated for the failure conditions.
%
The results agree with the FMEA presented in table~\ref{ptfmea}.
%
For this circuit there is a common and easily detected symptom for all these single
resistor faults---that of---`voltage~out~of~range'.
%
% A spider can be drawn on the PLD diagram to this effect.
%
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
@ -2073,15 +2133,15 @@ resistors in this circuit have failed.
}
%
%
\subsection{Derived Component with one failure mode.}
\subsection{Derived Component $Pt100$ analysed for single failure modes.}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE} i.e.:
$$ fm(Pt100) = \{ {OUT\_OF\_RANGE} \} . $$
This is a single, detectable failure mode. The detectability of a
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
This is a single, detectable failure mode. The detectability of
fault conditions is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
@ -2248,7 +2308,7 @@ Both values will be out of range.
%
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT.}
%
This shorts the sense+ and sense- to Vcc.
This shorts the sense+ and sense- to ground.
Both values will be out of range.
%
%\clearpage

56
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -144,8 +144,7 @@ called functions and variables/inputs are the components of a function,
a modular and hierarchical failure mode model
from existing software can be built.
%
Thus for FMMD applied to software, a violation of a pre-condition is considered to be
equivalent a failure mode of `one of its components'.
Thus for FMMD applied to software, a violation of a pre-condition is considered to be equivalent to a failure mode of `one of its components'.
\paragraph{Mapping contract `post-condition' violations to symptoms.}
@ -155,9 +154,9 @@ A post-condition is a definition of correct behaviour of a function.
%
A violated post-condition is a symptom of failure, or, in FMMD terms a derived failure mode, for a function.
%
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function.
In pure contract programming, a violation of a pre-condition would cause the function to
\textbf{not} be executed.
Post conditions could relate to either actions performed (i.e. the state of hardware changed) or an output value of a function.
%
In pure contract programming, a violation of a pre-condition would cause the function to \textbf{not} be executed.
%
In implementation code, a pre-condition violation should cause
an error to be generated, and thus a post-condition to fail.
@ -277,7 +276,7 @@ i.e. both a pre-condition and a postcondition;
for the system to be operating correctly the voltage should be within the above bounds.
%
The software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current is now discussed.
a per~mil representation of the {\ft} input is now discussed.
%
For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used.
%
@ -286,6 +285,17 @@ differentiate it from other type of variables (data types or pointers).
%
In this document this format is borrowed, hence the C~language
function called `main' will be presented as \cf{main}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% 26SEP2013 addition %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
The function \cf{read\_4\_20\_input} takes a floating point value for the voltage read,
checks that it is within bounds, and then applies a conversion to a per-mil
value which it returns via a pointer. The source code is presented in figure~\ref{fig:code_read_4_20_input}.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% 26SEP2013 addition %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%
%
A function \cf{read\_ADC} is assumed that returns a floating point %double precision
value which represents the voltage read (see code sample in figure~\ref{fig:code_read_4_20_input}).
@ -428,8 +438,8 @@ FMMD is now applied, from the bottom-up, starting with the hardware.
This {\fg}, $G_1$, contains the load resistor
and the physical Analogue to Digital Converter (ADC).
%
$G_1$ is thus the set of base components: $G_1 = \{R, ADC\}.$
It is therefore a hardware only {\fg}.
$G_1$ is thus a set of base components: $G_1 = \{R, ADC\}.$
It is a hardware only {\fg}.
%
%We now determine the {\fms} of all the components in $G_1$.
@ -499,7 +509,7 @@ the failure modes for the new {\dc} are: %we state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$
%
%
\paragraph{Software and hardware hybrid {\fg} --- RADC}
\paragraph{Software and hardware hybrid {\fg} --- RADC.}
\label{sec:readadc}
\label{readADC}
The software function \cf{Read\_ADC} uses the ADC hardware analysed
@ -529,15 +539,15 @@ This validates the supply voltage to the ADC.
This is common practise for safety critical readings when using an ADC.}.
%
Taken as a component for use in FMEA/FMMD the function has
two failure modes. Therefore it can be treated as a generic component, $Read\_ADC$,
two failure modes. Therefore it can be treated as a generic component, $\cf{Read\_ADC}$,
by stating:
%
$$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$
$$ fm(\cf{Read\_ADC}) = \{ CHAN\_NO, VREF \} $$
%
With the failure mode model for our function, it is used in conjunction
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$.
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMATV, \cf{Read\_ADC} \}$.
%
This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combined {\fg}.
This {\fg} is analysed in table~\ref{tbl:radc}. %{ hardware/software combined {\fg}.
%
%
{
@ -560,7 +570,7 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine
& wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
6: post-condition fails & software fails & $VV\_ERR$ \\
& C function: Read\_ADC & \\
& C function: \cf{Read\_ADC} & \\
\hline
\hline
\end{tabular}
@ -572,7 +582,7 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine
The common symptoms of failure from table~\ref{tbl:radc} are collected giving
$\{ VV\_ERR, HIGH, LOW \}$. Any violations of postconditions for software functions in the {\fg} $G_2$ must be added to this set.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */},
corresponds to $VV\_ERR$, and happens to already be in the {\fm} set for this {\fg}.
causes the symptom $VV\_ERR$, which happens to already be in the {\fm} set for this {\fg}.
%
%We can now create a {\dc} called $RADC$ thus: $$RADC = \; \derivec(G_2)$$ which has the following
%{\fms}:
@ -580,6 +590,7 @@ A {\dc} called $RADC$ is created with failure modes of:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
%
%
This {\dc} is a hybrid of software and hardware, and is an example of a hardware interface modelled by FMMD.
%
%
%
@ -598,17 +609,17 @@ to determine its {\fms}.
%
Its one pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
%
This violation of the pre-condition can become the {\fm} VRNGE (an acronym for Voltage Range); %As this function has one pre-condition
A violation of this pre-condition can become the {\fm} VRNGE (an acronym for Voltage Range); %As this function has one pre-condition
we state,
%
$ fm(read\_4\_20\_input) = \{ RI_{VRNGE} \} .$
$ fm(\cf{read\_4\_20\_input}) = \{ RI_{VRNGE} \} .$
To this we add the post-condition, {\em ensure: value is proportional (0-999) to the {\ft} input},
which can be termed $VAL\_ERR$: the failure modes for \cf{read\_4\_20\_input} are now defined as:
$$ fm(read\_4\_20\_input) = \{ RI_{VRNGE}, RI_{VAL\_ERR} \} .$$
$$ fm(\cf{read\_4\_20\_input}) = \{ RI_{VRNGE}, RI_{VAL\_ERR} \} .$$
%
\fmmdglossCONTRACTPROG
A {\fg}, $G_3$, is formed with the {\dc} $RADC$ and the
software component \cf{read\_4\_20\_input}, i.e. $G_3 = \{read\_4\_20\_input, RADC\} $.
software component \cf{read\_4\_20\_input}, i.e. $G_3 = \{\cf{read\_4\_20\_input}, RADC\} $.
%
{
\tiny
@ -651,8 +662,8 @@ The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
% 4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group}
For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ condition will be flagged by the error flag variable.
The $VAL\_ERR$ will simply mean that the value read is incorrect: an undetectable
can fail. An $OUT\_OF\_RANGE$ condition will be flagged by the error flag variable, a detectable {\fm}.
The $VAL\_ERR$ will simply mean that the value read is incorrect: an undetectable {\fm}
and therefore undesirable condition.
%
Finally a {\dc} is created to represent a failure mode model for our
@ -743,7 +754,8 @@ the MUX is very demanding, separate pull down test lines may be implemented on t
%
A software specification for a hardware interface will typically concentrate on data formats,
how to interpret raw readings, or what digital signals to apply for actuators~\cite{sfmeainterface}.
Using FMMD the process naturally determines a failure model for the interface. % as well~\cite{sfmeainterface}.
%
Using FMMD the process naturally determines a failure model for the hardware/software interface. % as well~\cite{sfmeainterface}.
\\
\\
The {\ft} example above is based on the paper presented to System Safety in 2012~\cite{syssafe2012}.