From 3fc2688764235d841d6bf56af7cdd55df6b82823 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 9 Oct 2010 16:48:42 +0100 Subject: [PATCH] . --- fmmd_design_aide/fmmd_design_aide.tex | 71 ++++++++++++++++----------- 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/fmmd_design_aide/fmmd_design_aide.tex b/fmmd_design_aide/fmmd_design_aide.tex index f1f7fe8..800049b 100644 --- a/fmmd_design_aide/fmmd_design_aide.tex +++ b/fmmd_design_aide/fmmd_design_aide.tex @@ -1,15 +1,17 @@ - - - - \ifthenelse {\boolean{paper}} { \abstract{ This paper describes how the FMMD methodology can be used to refine -safety critical designs and identify undetectable faults. +safety critical designs and identify undetectable and dormant faults. +% +Once undetecable faults or dormant faults are discovered +the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. +This can be an iterative process which can be applied until the +design has an acceptable level of dormant or undetectable failure modes. +% Used in this way, its is a design aide, giving the user -the possibility to model a system from the perspective +the possibility to refine/correct a {\dc} from the perspective of its failure mode behaviour. } } @@ -17,26 +19,34 @@ of its failure mode behaviour. \section{Introduction} This chapter describes how the FMMD methodology can be used to examine -safety critical designs and identify undetectable faults. +safety critical designs and identify undetectable and dormant faults. +% +Once undetecable faults or dormant faults are discovered +the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. +This can be an iterative process which can be applied until the +design has an acceptable level of dormant or undetectable failure modes. +% Used in this way, its is a design aide, giving the user the possibility to refine/correct a {\dc} from the perspective of its failure mode behaviour. - - - } -\section{How FMMD Analysis can reveal design flaws in failure mode detection } +\section{How FMMD Analysis can reveal design flaws w.r.t. failure behaviour } -A feature of FMMD analysis is the collection of components -into a {\fg}, which is then analysed w.r.t. its failure mode behaviour. -symptom collection. -From the failure mode behaviour of the {\fg} common symptoms are collected. +\paragraph{Overview of FMMD Methodology} +The principle of FMMD analysis is a four stage process, +the collection of components into {\fg}s, +these are analysed w.r.t. their failure mode behaviour, +the failure mode behaviour is then viewed from the {\fg} perspective (i.e. as a symptom of the {\fg}), +the common symptoms are then collected. +% +%From the failure mode behaviour of the {\fg} common symptoms are collected. These common symptoms are in effect the failure mode behaviour of the {\fg} viewed as a single entity, or a `black box' component. -From the analysis of the {\fg} we can created a {\dc}, where the failure modes +From the analysis of the {\fg} we can create a {\dc}, where the failure modes are the symptoms of the {\fg} we derived it from. +\paragraph{detectable and undetectable failure modes} The symptoms will be detectable (like a value of of range) or undetectable (like a logic state or value being incorrect). The `undetectable' failure modes are the most worrying for the safety critical designer. @@ -46,14 +56,19 @@ For instance, out of range values, we know we can cope with; they are an obvious error condition that will be detected by any modules using the {\dc}. An undetecable failure mode will introduce errors into a SYSTEM. +\paragraph{dormant faults} A dormant fault is one +which can manifest its-self in conjuction with +another failure mode becoming active, or an environmental +condition changing (for instance temperature). Some +component failure modes may lead to dormant failure modes. -\subsection{Iterative Design} +\subsection{Iterative Design Example} By applying FMMD analysis to a {\fg} we can determine which failure -modes of a {\dc} are detectable, and which are undetectable. +modes of a {\dc} are undetectable or dormant. We can then either modify the circuit and iteratively apply FMMD to the design again, or we could add another {\fg} -that specifically tests for the undetectable conditions. +that specifically tests for the undetectable/dormant conditions. This \ifthenelse {\boolean{paper}} @@ -65,7 +80,7 @@ chapter } describes a milli-volt amplifier (see R18 in figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings form the -milli-volt source being read} +milli-volt source.} resistor. The circuit is analysed and it is found that all but one component failure modes are detectable. We then design a circuit to test for the `undetectable' failure mode @@ -86,8 +101,8 @@ We then analsye the {\fg} and the resultant {\dc} failure modes are discussed. This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$). An offset is applied to the input by R18 and R22 forming a potential divider -of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of 1.86mV. -So the amplified offset is $\approx 342mV$. We can determine the output of the amplifier +of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$. +So the amplified offset is $\approx 342 \, mV$. We can determine the output of the amplifier by subtracting this amount from the reading. We can also define an acceptable range for the readings. This would depend on the milli-volt source, and also on the detectability of the error volatges. @@ -100,19 +115,19 @@ EXPAND \begin{table}[h+] -\caption{Milli Volt Amplifier // Single Fault FMMD} % title of Table +\caption{Milli Volt Amplifier Single Fault FMMD} % title of Table \centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} +\begin{tabular}{||l|c|l|c||} \hline \hline \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ - \textbf{Case} & \textbf{mode} & \textbf{ } & \textbf{per $10^9$ hours of operation} \\ + \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\ % R & wire & res + & res - & description \hline \hline TC:1 $R18$ SHORT & Amp plus input high & Out of range & 1.38 \\ \hline -TC:2 $R18$ OPEN & No Offset Voltage & Low reading & 12.42\\ \hline +TC:2 $R18$ OPEN & No Offset Voltage & \textbf{Low reading} & 12.42\\ \hline \hline -TC:3 $R22$ SHORT & No offset voltage & Low reading & 1.38 \\ \hline +TC:3 $R22$ SHORT & No offset voltage & \textbf{Low reading} & 1.38 \\ \hline TC:4 $R22$ OPEN & Amp plus high input & Out of Range & 1.38 \\ \hline \hline TC:5 $R26$ SHORT & No gain from amp & Out of Range & 1.38 \\ @@ -134,7 +149,7 @@ Typically this type of circuit would be used to read a thermocouple and this erro symptom, "LOW READING" would mean our plant could beleive that the temperature reading is lower than it actually is. To take an example from a K type thermocouple, the offset of 1.86mV -from the potential divider represents about 46oC. +from the potential divider represents amplified to $\approx \, 342mV$ would represent $\approx \; 46\,^{\circ}{\rm C}$. \subsection{Undetected Failure Mode: Incorrect Reading}