.
This commit is contained in:
parent
4ec18c0321
commit
3fc2688764
@ -1,15 +1,17 @@
|
||||
|
||||
|
||||
|
||||
|
||||
\ifthenelse {\boolean{paper}}
|
||||
{
|
||||
\abstract{ This
|
||||
paper
|
||||
describes how the FMMD methodology can be used to refine
|
||||
safety critical designs and identify undetectable faults.
|
||||
safety critical designs and identify undetectable and dormant faults.
|
||||
%
|
||||
Once undetecable faults or dormant faults are discovered
|
||||
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied.
|
||||
This can be an iterative process which can be applied until the
|
||||
design has an acceptable level of dormant or undetectable failure modes.
|
||||
%
|
||||
Used in this way, its is a design aide, giving the user
|
||||
the possibility to model a system from the perspective
|
||||
the possibility to refine/correct a {\dc} from the perspective
|
||||
of its failure mode behaviour.
|
||||
}
|
||||
}
|
||||
@ -17,26 +19,34 @@ of its failure mode behaviour.
|
||||
\section{Introduction}
|
||||
This chapter
|
||||
describes how the FMMD methodology can be used to examine
|
||||
safety critical designs and identify undetectable faults.
|
||||
safety critical designs and identify undetectable and dormant faults.
|
||||
%
|
||||
Once undetecable faults or dormant faults are discovered
|
||||
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied.
|
||||
This can be an iterative process which can be applied until the
|
||||
design has an acceptable level of dormant or undetectable failure modes.
|
||||
%
|
||||
Used in this way, its is a design aide, giving the user
|
||||
the possibility to refine/correct a {\dc} from the perspective
|
||||
of its failure mode behaviour.
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
\section{How FMMD Analysis can reveal design flaws in failure mode detection }
|
||||
\section{How FMMD Analysis can reveal design flaws w.r.t. failure behaviour }
|
||||
|
||||
A feature of FMMD analysis is the collection of components
|
||||
into a {\fg}, which is then analysed w.r.t. its failure mode behaviour.
|
||||
symptom collection.
|
||||
From the failure mode behaviour of the {\fg} common symptoms are collected.
|
||||
\paragraph{Overview of FMMD Methodology}
|
||||
The principle of FMMD analysis is a four stage process,
|
||||
the collection of components into {\fg}s,
|
||||
these are analysed w.r.t. their failure mode behaviour,
|
||||
the failure mode behaviour is then viewed from the {\fg} perspective (i.e. as a symptom of the {\fg}),
|
||||
the common symptoms are then collected.
|
||||
%
|
||||
%From the failure mode behaviour of the {\fg} common symptoms are collected.
|
||||
These common symptoms are in effect the failure mode behaviour of
|
||||
the {\fg} viewed as a single entity, or a `black box' component.
|
||||
From the analysis of the {\fg} we can created a {\dc}, where the failure modes
|
||||
From the analysis of the {\fg} we can create a {\dc}, where the failure modes
|
||||
are the symptoms of the {\fg} we derived it from.
|
||||
\paragraph{detectable and undetectable failure modes}
|
||||
The symptoms will be detectable (like a value of of range)
|
||||
or undetectable (like a logic state or value being incorrect).
|
||||
The `undetectable' failure modes are the most worrying for the safety critical designer.
|
||||
@ -46,14 +56,19 @@ For instance, out of range values, we know we can cope with; they
|
||||
are an obvious error condition that will be detected by any modules
|
||||
using the {\dc}. An undetecable failure mode will introduce
|
||||
errors into a SYSTEM.
|
||||
\paragraph{dormant faults} A dormant fault is one
|
||||
which can manifest its-self in conjuction with
|
||||
another failure mode becoming active, or an environmental
|
||||
condition changing (for instance temperature). Some
|
||||
component failure modes may lead to dormant failure modes.
|
||||
|
||||
\subsection{Iterative Design}
|
||||
\subsection{Iterative Design Example}
|
||||
|
||||
By applying FMMD analysis to a {\fg} we can determine which failure
|
||||
modes of a {\dc} are detectable, and which are undetectable.
|
||||
modes of a {\dc} are undetectable or dormant.
|
||||
We can then either modify the circuit and iteratively
|
||||
apply FMMD to the design again, or we could add another {\fg}
|
||||
that specifically tests for the undetectable conditions.
|
||||
that specifically tests for the undetectable/dormant conditions.
|
||||
|
||||
This
|
||||
\ifthenelse {\boolean{paper}}
|
||||
@ -65,7 +80,7 @@ chapter
|
||||
}
|
||||
describes a milli-volt amplifier (see R18 in figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts
|
||||
as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings form the
|
||||
milli-volt source being read}
|
||||
milli-volt source.}
|
||||
resistor. The circuit is analysed and it is found that all but one component failure modes
|
||||
are detectable.
|
||||
We then design a circuit to test for the `undetectable' failure mode
|
||||
@ -86,8 +101,8 @@ We then analsye the {\fg} and the resultant {\dc} failure modes are discussed.
|
||||
|
||||
This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$).
|
||||
An offset is applied to the input by R18 and R22 forming a potential divider
|
||||
of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of 1.86mV.
|
||||
So the amplified offset is $\approx 342mV$. We can determine the output of the amplifier
|
||||
of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$.
|
||||
So the amplified offset is $\approx 342 \, mV$. We can determine the output of the amplifier
|
||||
by subtracting this amount from the reading. We can also define an acceptable
|
||||
range for the readings. This would depend on the milli-volt source, and also on the
|
||||
detectability of the error volatges.
|
||||
@ -100,19 +115,19 @@ EXPAND
|
||||
|
||||
|
||||
\begin{table}[h+]
|
||||
\caption{Milli Volt Amplifier // Single Fault FMMD} % title of Table
|
||||
\caption{Milli Volt Amplifier Single Fault FMMD} % title of Table
|
||||
\centering % used for centering table
|
||||
\begin{tabular}{||l|c|c|l|l||}
|
||||
\begin{tabular}{||l|c|l|c||}
|
||||
\hline \hline
|
||||
\textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\
|
||||
\textbf{Case} & \textbf{mode} & \textbf{ } & \textbf{per $10^9$ hours of operation} \\
|
||||
\textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\
|
||||
% R & wire & res + & res - & description
|
||||
\hline
|
||||
\hline
|
||||
TC:1 $R18$ SHORT & Amp plus input high & Out of range & 1.38 \\ \hline
|
||||
TC:2 $R18$ OPEN & No Offset Voltage & Low reading & 12.42\\ \hline
|
||||
TC:2 $R18$ OPEN & No Offset Voltage & \textbf{Low reading} & 12.42\\ \hline
|
||||
\hline
|
||||
TC:3 $R22$ SHORT & No offset voltage & Low reading & 1.38 \\ \hline
|
||||
TC:3 $R22$ SHORT & No offset voltage & \textbf{Low reading} & 1.38 \\ \hline
|
||||
TC:4 $R22$ OPEN & Amp plus high input & Out of Range & 1.38 \\ \hline
|
||||
\hline
|
||||
TC:5 $R26$ SHORT & No gain from amp & Out of Range & 1.38 \\
|
||||
@ -134,7 +149,7 @@ Typically this type of circuit would be used to read a thermocouple
|
||||
and this erro symptom, "LOW READING" would mean our plant could
|
||||
beleive that the temperature reading is lower than it actually is.
|
||||
To take an example from a K type thermocouple, the offset of 1.86mV
|
||||
from the potential divider represents about 46oC.
|
||||
from the potential divider represents amplified to $\approx \, 342mV$ would represent $\approx \; 46\,^{\circ}{\rm C}$.
|
||||
|
||||
\subsection{Undetected Failure Mode: Incorrect Reading}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user