robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Robin Clark 2010-10-09 16:48:42 +01:00
parent 4ec18c0321
commit 3fc2688764
1 changed files with 43 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
fmmd_design_aide/fmmd_design_aide.tex
View File

@ -1,15 +1,17 @@
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
\abstract{ This \abstract{ This
paper paper
describes how the FMMD methodology can be used to refine describes how the FMMD methodology can be used to refine
safety critical designs and identify undetectable faults. safety critical designs and identify undetectable and dormant faults.
%
Once undetecable faults or dormant faults are discovered
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied.
This can be an iterative process which can be applied until the
design has an acceptable level of dormant or undetectable failure modes.
%
Used in this way, its is a design aide, giving the user Used in this way, its is a design aide, giving the user
the possibility to model a system from the perspective the possibility to refine/correct a {\dc} from the perspective
of its failure mode behaviour. of its failure mode behaviour.
} }
} }
@ -17,26 +19,34 @@ of its failure mode behaviour.
\section{Introduction} \section{Introduction}
This chapter This chapter
describes how the FMMD methodology can be used to examine describes how the FMMD methodology can be used to examine
safety critical designs and identify undetectable faults. safety critical designs and identify undetectable and dormant faults.
%
Once undetecable faults or dormant faults are discovered
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied.
This can be an iterative process which can be applied until the
design has an acceptable level of dormant or undetectable failure modes.
%
Used in this way, its is a design aide, giving the user Used in this way, its is a design aide, giving the user
the possibility to refine/correct a {\dc} from the perspective the possibility to refine/correct a {\dc} from the perspective
of its failure mode behaviour. of its failure mode behaviour.
} }
\section{How FMMD Analysis can reveal design flaws in failure mode detection } \section{How FMMD Analysis can reveal design flaws w.r.t. failure behaviour }
A feature of FMMD analysis is the collection of components \paragraph{Overview of FMMD Methodology}
into a {\fg}, which is then analysed w.r.t. its failure mode behaviour. The principle of FMMD analysis is a four stage process,
symptom collection. the collection of components into {\fg}s,
From the failure mode behaviour of the {\fg} common symptoms are collected. these are analysed w.r.t. their failure mode behaviour,
the failure mode behaviour is then viewed from the {\fg} perspective (i.e. as a symptom of the {\fg}),
the common symptoms are then collected.
%
%From the failure mode behaviour of the {\fg} common symptoms are collected.
These common symptoms are in effect the failure mode behaviour of These common symptoms are in effect the failure mode behaviour of
the {\fg} viewed as a single entity, or a `black box' component. the {\fg} viewed as a single entity, or a `black box' component.
From the analysis of the {\fg} we can created a {\dc}, where the failure modes From the analysis of the {\fg} we can create a {\dc}, where the failure modes
are the symptoms of the {\fg} we derived it from. are the symptoms of the {\fg} we derived it from.
\paragraph{detectable and undetectable failure modes}
The symptoms will be detectable (like a value of of range) The symptoms will be detectable (like a value of of range)
or undetectable (like a logic state or value being incorrect). or undetectable (like a logic state or value being incorrect).
The `undetectable' failure modes are the most worrying for the safety critical designer. The `undetectable' failure modes are the most worrying for the safety critical designer.
@ -46,14 +56,19 @@ For instance, out of range values, we know we can cope with; they
are an obvious error condition that will be detected by any modules are an obvious error condition that will be detected by any modules
using the {\dc}. An undetecable failure mode will introduce using the {\dc}. An undetecable failure mode will introduce
errors into a SYSTEM. errors into a SYSTEM.
\paragraph{dormant faults} A dormant fault is one
which can manifest its-self in conjuction with
another failure mode becoming active, or an environmental
condition changing (for instance temperature). Some
component failure modes may lead to dormant failure modes.
\subsection{Iterative Design} \subsection{Iterative Design Example}
By applying FMMD analysis to a {\fg} we can determine which failure By applying FMMD analysis to a {\fg} we can determine which failure
modes of a {\dc} are detectable, and which are undetectable. modes of a {\dc} are undetectable or dormant.
We can then either modify the circuit and iteratively We can then either modify the circuit and iteratively
apply FMMD to the design again, or we could add another {\fg} apply FMMD to the design again, or we could add another {\fg}
that specifically tests for the undetectable conditions. that specifically tests for the undetectable/dormant conditions.
This This
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
@ -65,7 +80,7 @@ chapter
} }
describes a milli-volt amplifier (see R18 in figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts describes a milli-volt amplifier (see R18 in figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts
as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings form the as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings form the
milli-volt source being read} milli-volt source.}
resistor. The circuit is analysed and it is found that all but one component failure modes resistor. The circuit is analysed and it is found that all but one component failure modes
are detectable. are detectable.
We then design a circuit to test for the `undetectable' failure mode We then design a circuit to test for the `undetectable' failure mode
@ -86,8 +101,8 @@ We then analsye the {\fg} and the resultant {\dc} failure modes are discussed.
This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$). This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$).
An offset is applied to the input by R18 and R22 forming a potential divider An offset is applied to the input by R18 and R22 forming a potential divider
of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of 1.86mV. of $\frac{820}{2.2E6+820}$. With 5V applied as Vcc this gives an input offset of $1.86\,mV$.
So the amplified offset is $\approx 342mV$. We can determine the output of the amplifier So the amplified offset is $\approx 342 \, mV$. We can determine the output of the amplifier
by subtracting this amount from the reading. We can also define an acceptable by subtracting this amount from the reading. We can also define an acceptable
range for the readings. This would depend on the milli-volt source, and also on the range for the readings. This would depend on the milli-volt source, and also on the
detectability of the error volatges. detectability of the error volatges.
@ -100,19 +115,19 @@ EXPAND
\begin{table}[h+] \begin{table}[h+]
\caption{Milli Volt Amplifier // Single Fault FMMD} % title of Table \caption{Milli Volt Amplifier Single Fault FMMD} % title of Table
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|c|c|l|l||} \begin{tabular}{||l|c|l|c||}
\hline \hline \hline \hline
\textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\
\textbf{Case} & \textbf{mode} & \textbf{ } & \textbf{per $10^9$ hours of operation} \\ \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description % R & wire & res + & res - & description
\hline \hline
\hline \hline
TC:1 $R18$ SHORT & Amp plus input high & Out of range & 1.38 \\ \hline TC:1 $R18$ SHORT & Amp plus input high & Out of range & 1.38 \\ \hline
TC:2 $R18$ OPEN & No Offset Voltage & Low reading & 12.42\\ \hline TC:2 $R18$ OPEN & No Offset Voltage & \textbf{Low reading} & 12.42\\ \hline
\hline \hline
TC:3 $R22$ SHORT & No offset voltage & Low reading & 1.38 \\ \hline TC:3 $R22$ SHORT & No offset voltage & \textbf{Low reading} & 1.38 \\ \hline
TC:4 $R22$ OPEN & Amp plus high input & Out of Range & 1.38 \\ \hline TC:4 $R22$ OPEN & Amp plus high input & Out of Range & 1.38 \\ \hline
\hline \hline
TC:5 $R26$ SHORT & No gain from amp & Out of Range & 1.38 \\ TC:5 $R26$ SHORT & No gain from amp & Out of Range & 1.38 \\
@ -134,7 +149,7 @@ Typically this type of circuit would be used to read a thermocouple
and this erro symptom, "LOW READING" would mean our plant could and this erro symptom, "LOW READING" would mean our plant could
beleive that the temperature reading is lower than it actually is. beleive that the temperature reading is lower than it actually is.
To take an example from a K type thermocouple, the offset of 1.86mV To take an example from a K type thermocouple, the offset of 1.86mV
from the potential divider represents about 46oC. from the potential divider represents amplified to $\approx \, 342mV$ would represent $\approx \; 46\,^{\circ}{\rm C}$.
\subsection{Undetected Failure Mode: Incorrect Reading} \subsection{Undetected Failure Mode: Incorrect Reading}