From 37f52c3cc0d4ec5a876b0216e8ad3bfbea2fddf7 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Mon, 8 Nov 2010 07:21:08 +0000 Subject: [PATCH] morning edit --- fmmd_design_aide/fmmd_design_aide.tex | 5 ++- introduction/introduction.tex | 52 ++++++++++++++++++++++++++- style.tex | 2 ++ thesis.tex | 10 ++++++ 4 files changed, 67 insertions(+), 2 deletions(-) diff --git a/fmmd_design_aide/fmmd_design_aide.tex b/fmmd_design_aide/fmmd_design_aide.tex index 98a56c4..fc39a95 100644 --- a/fmmd_design_aide/fmmd_design_aide.tex +++ b/fmmd_design_aide/fmmd_design_aide.tex @@ -253,7 +253,7 @@ both states of the transistor, ON and OFF. This test circuit has two operational states, in that it -can be switched on to apply the test parallel resistance, and +can be switched on to apply the test series resistance, and off to obtain the correct reading. % We must examine each test case from these two perspectives. @@ -384,3 +384,6 @@ Draw FMMD hierarchy diagram. With safety addition reliability GOES DOWN ! But safety goes UP ! Work it out + +Yes so we now have aditional failure modesso the reliability +of the `self testing' circuit is lower than the basic one. diff --git a/introduction/introduction.tex b/introduction/introduction.tex index c96dc92..53ab7db 100644 --- a/introduction/introduction.tex +++ b/introduction/introduction.tex @@ -81,6 +81,7 @@ as FMEA is an `expert only' time consuming technique, this idea was obviously impractical. Note that most of the checks made would be redundant. Most components affect the performance of a few that they are placed to work with to perform some particular low-level function. + \paragraph{Top down Approach} A top down approach has several potential problems. By its nature it means that at the start of the process @@ -113,6 +114,55 @@ Also a hierarchy is formed when the top level errors are formed naturally from the lower levels of analysis. Unlike a top~down analysis, we cannot miss a top level fault condition. +\paragraph{Repeated Circuitry Sub-Systems} + +In all safety critical real time systems the author has worked with +all have repeated sections of hardware. +for instance self checking digital inputs, analog inputs, sections of circuitry to +generate {\ft} loops, micro-processors with watchdog secondary +circuity. +In other words spending time on analysing these lower level sub-systems +seems worthwhile, since they will be used in many designs, and are often +repeated within a SYSTEM +(and thus the analysis results may be re-used). + +In general terms we can describe +these circuitry sub-systems +as collections of components or smaller sub-systesm, that interact to perform a given function. +We can call these collections {\fg}s. + + +In these `safety critical' circuitry sections, especially ones claiming to +be self-checking, the actual level of safety depends upon not +just the MTTF/reliability of the components, but the +{\fg}s reaction to a component failure +within the ciruit. + +That is to say how the circuit section or {\fg} +reacts to component failures within it. +We may find for instance that the circuit reacts to most component failure modes +in ways that we can detect that there has been a failure. + +Some can component failure modes in the {\fg} can lead to serious errors, such as an incorrect reading +that we cannot immediately detect. +% +We will, if these specific component +failures occur, not know and feed incorrect data into our system. +% +Figure \ref{fig:millivolt} shows a typical industrial +circuit to measure and amplify millivolt signals. +It will detect a disconneted milli-volt source (the most common +failure, and usually due to wiring faults) and some other internal component failures. +It can however provide an incorrect (slightly low reading) if +one of two resistors fail in particular ways. +% Although statistically unlikely, in a very critical system +% this may have to be considered. + +To the author, it seems that paying attention +to the way {\fg}s of components interact and proving +a safety case for them is a very important aspect +of detecting `undetected failures' in safety critical product design. + \paragraph{Multi-disipline} Most safety critical systems are composed of mechanical, electrical and computing elements. A tragic example of the mechanical and electrical elements interfacing to a computer is found in the THERAC25 x-ray dosage machine. @@ -297,7 +347,7 @@ adjusting the fuel air mix can get the efficiencies very close to theoretical le As the automation takes over more and more functions from the human operator it also takes on more responsibility. A classic example of an automated system failing, is the therac-25. -This was an X-ray dosage machine, that, due to software errors +This was an X-ray/electron~beam dosage machine, that, due to software errors caused the deaths of several patients and injured more during the 1980's. The Therac-25 was a designed from a manual system, which had checks and interlocks, and was subsequently computerised. Software safety interlock problems were the primary causes of the radiation diff --git a/style.tex b/style.tex index 7c5d864..3d40a3d 100644 --- a/style.tex +++ b/style.tex @@ -39,6 +39,8 @@ \DeclareMathSymbol{\I}{\mathbin}{AMSb}{"49} \DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43} +\newcommand{\ft}{\ensuremath{4\!\!\rightarrow\!\!20mA} } + % Page layout definitions to suit A4 paper \setcounter{secnumdepth}{3} \setcounter{tocdepth}{4} diff --git a/thesis.tex b/thesis.tex index b834d4e..c63b8c3 100644 --- a/thesis.tex +++ b/thesis.tex @@ -118,6 +118,16 @@ %\input{switch1/switch1} \chapter{FMMD functional~group to \\derived component example: Safety Critical 'ON OFF' Switch} +Here show the funcitonality of the switch, as with milli volt amp +main built in self checking is for incorrect wiring (to 5V for perm on detected +and wires fallen off == OFF or broken) + +Now show how fmmd works, by showing the check line and transistor, feeding +about 4 switches. +Show how each switch inherits/includes the same check circuit +in a hiearcvy (i.e. they all include that one in their +{\fg}s. +Show how FMMS is describing a common failure mode structure. \chapter{FMMD functional~group to \\derived component example: Reading 4 to 20 mA inputs} %\input{milliampin/milliampin}