robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

morning edit

Browse Source
This commit is contained in:
Robin Clark 2010-11-08 07:21:08 +00:00
parent 7da9f75e27
commit 37f52c3cc0
4 changed files with 67 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
fmmd_design_aide/fmmd_design_aide.tex
View File

@ -253,7 +253,7 @@ both states of the transistor, ON and OFF.
This test circuit has two operational states, in that it This test circuit has two operational states, in that it
can be switched on to apply the test parallel resistance, and can be switched on to apply the test series resistance, and
off to obtain the correct reading. off to obtain the correct reading.
% %
We must examine each test case from these two perspectives. We must examine each test case from these two perspectives.
@ -384,3 +384,6 @@ Draw FMMD hierarchy diagram.
With safety addition reliability GOES DOWN ! With safety addition reliability GOES DOWN !
But safety goes UP ! But safety goes UP !
Work it out Work it out
Yes so we now have aditional failure modesso the reliability
of the `self testing' circuit is lower than the basic one.

52
introduction/introduction.tex
View File

@ -81,6 +81,7 @@ as FMEA is an `expert only' time consuming technique, this idea was
obviously impractical. Note that most of the checks made would be redundant. obviously impractical. Note that most of the checks made would be redundant.
Most components affect the performance of a few that they are placed to work with Most components affect the performance of a few that they are placed to work with
to perform some particular low-level function. to perform some particular low-level function.
\paragraph{Top down Approach} \paragraph{Top down Approach}
A top down approach has several potential problems. A top down approach has several potential problems.
By its nature it means that at the start of the process By its nature it means that at the start of the process
@ -113,6 +114,55 @@ Also a hierarchy is formed when the top level errors are formed
naturally from the lower levels of analysis. naturally from the lower levels of analysis.
Unlike a top~down analysis, we cannot miss a top level fault condition. Unlike a top~down analysis, we cannot miss a top level fault condition.
\paragraph{Repeated Circuitry Sub-Systems}
In all safety critical real time systems the author has worked with
all have repeated sections of hardware.
for instance self checking digital inputs, analog inputs, sections of circuitry to
generate {\ft} loops, micro-processors with watchdog secondary
circuity.
In other words spending time on analysing these lower level sub-systems
seems worthwhile, since they will be used in many designs, and are often
repeated within a SYSTEM
(and thus the analysis results may be re-used).
In general terms we can describe
these circuitry sub-systems
as collections of components or smaller sub-systesm, that interact to perform a given function.
We can call these collections {\fg}s.
In these `safety critical' circuitry sections, especially ones claiming to
be self-checking, the actual level of safety depends upon not
just the MTTF/reliability of the components, but the
{\fg}s reaction to a component failure
within the ciruit.
That is to say how the circuit section or {\fg}
reacts to component failures within it.
We may find for instance that the circuit reacts to most component failure modes
in ways that we can detect that there has been a failure.
Some can component failure modes in the {\fg} can lead to serious errors, such as an incorrect reading
that we cannot immediately detect.
%
We will, if these specific component
failures occur, not know and feed incorrect data into our system.
%
Figure \ref{fig:millivolt} shows a typical industrial
circuit to measure and amplify millivolt signals.
It will detect a disconneted milli-volt source (the most common
failure, and usually due to wiring faults) and some other internal component failures.
It can however provide an incorrect (slightly low reading) if
one of two resistors fail in particular ways.
% Although statistically unlikely, in a very critical system
% this may have to be considered.
To the author, it seems that paying attention
to the way {\fg}s of components interact and proving
a safety case for them is a very important aspect
of detecting `undetected failures' in safety critical product design.
\paragraph{Multi-disipline} Most safety critical systems are composed of mechanical, electrical and \paragraph{Multi-disipline} Most safety critical systems are composed of mechanical, electrical and
computing elements. A tragic example of the mechanical and electrical elements computing elements. A tragic example of the mechanical and electrical elements
interfacing to a computer is found in the THERAC25 x-ray dosage machine. interfacing to a computer is found in the THERAC25 x-ray dosage machine.
@ -297,7 +347,7 @@ adjusting the fuel air mix can get the efficiencies very close to theoretical le
As the automation takes over more and more functions from the human operator it also takes on more responsibility. As the automation takes over more and more functions from the human operator it also takes on more responsibility.
A classic example of an automated system failing, is the therac-25. A classic example of an automated system failing, is the therac-25.
This was an X-ray dosage machine, that, due to software errors This was an X-ray/electron~beam dosage machine, that, due to software errors
caused the deaths of several patients and injured more during the 1980's. caused the deaths of several patients and injured more during the 1980's.
The Therac-25 was a designed from a manual system, which had checks and interlocks, The Therac-25 was a designed from a manual system, which had checks and interlocks,
and was subsequently computerised. Software safety interlock problems were the primary causes of the radiation and was subsequently computerised. Software safety interlock problems were the primary causes of the radiation

2
style.tex
View File

@ -39,6 +39,8 @@
\DeclareMathSymbol{\I}{\mathbin}{AMSb}{"49} \DeclareMathSymbol{\I}{\mathbin}{AMSb}{"49}
\DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43} \DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43}
\newcommand{\ft}{\ensuremath{4\!\!\rightarrow\!\!20mA} }
% Page layout definitions to suit A4 paper % Page layout definitions to suit A4 paper
\setcounter{secnumdepth}{3} \setcounter{tocdepth}{4} \setcounter{secnumdepth}{3} \setcounter{tocdepth}{4}

10
thesis.tex
View File

@ -118,6 +118,16 @@
%\input{switch1/switch1} %\input{switch1/switch1}
\chapter{FMMD functional~group to \\derived component example: Safety Critical 'ON OFF' Switch} \chapter{FMMD functional~group to \\derived component example: Safety Critical 'ON OFF' Switch}
Here show the funcitonality of the switch, as with milli volt amp
main built in self checking is for incorrect wiring (to 5V for perm on detected
and wires fallen off == OFF or broken)
Now show how fmmd works, by showing the check line and transistor, feeding
about 4 switches.
Show how each switch inherits/includes the same check circuit
in a hiearcvy (i.e. they all include that one in their
{\fg}s.
Show how FMMS is describing a common failure mode structure.
\chapter{FMMD functional~group to \\derived component example: Reading 4 to 20 mA inputs} \chapter{FMMD functional~group to \\derived component example: Reading 4 to 20 mA inputs}
%\input{milliampin/milliampin} %\input{milliampin/milliampin}