robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Tidy up before hitting anti virus on the XP partition

Browse Source
This commit is contained in:
Robin 2010-04-05 18:46:28 +01:00
parent 925cd86b84
commit 4d63e507a7
31 changed files with 13 additions and 26816 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
burner/Makefile
View File

@ -14,4 +14,4 @@ paper: paper.tex burner_paper.tex
# Remove the need for referncing graphics in subdirectories # Remove the need for referncing graphics in subdirectories
# #
burner_paper.tex: burner.tex burner_paper.tex: burner.tex
cat burner.tex | sed 's/burner\///' > paper.tex cat burner.tex | sed 's/burner\///' > burner_paper.tex

9
burner/burner.tex~
View File

@ -1,9 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
\end{abstract}
\section{Overview of A Burner Controller : Safety Perspective}

2
burner/papaer.tex
View File

@ -1,2 +0,0 @@
:e paper.tex

53
burner/paper.aux
View File

@ -1,53 +0,0 @@
\relax
\citation{aoe}
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces PT100 four wire circuit}}{1}}
\newlabel{fig:pt100}{{1}{1}}
\@writefile{toc}{\contentsline {section}{\numberline {1}Overview of PT100 four wire circuit}{1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Accuracy despite variable \\ resistance in cables}{1}}
\citation{eurothermtables}
\citation{mil1991}
\citation{mil1991}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces PT100 expected voltage ranges}}{2}}
\newlabel{fig:pt100vrange}{{2}{2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.2}Calculating Temperature from \\ the sense line voltages}{2}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Safety case for 4 wire circuit}{2}}
\citation{aoe}
\citation{eurothermtables}
\citation{eurothermtables}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Single Fault FMEA Analysis \\ of PT100 Four wire circuit}{3}}
\newlabel{fmea}{{2.1}{3}}
\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces PT100 FMEA Single Faults}}{3}}
\newlabel{ptfmea}{{1}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Range and PT100 Calculations}{3}}
\newlabel{pt100temp}{{2.2}{3}}
\@writefile{lot}{\contentsline {table}{\numberline {2}{\ignorespaces PT100 Maximum and Minimum Values}}{4}}
\newlabel{ptbounds}{{2}{4}}
\@writefile{toc}{\contentsline {section}{\numberline {3}Single Fault FMEA Analysis \\ of PT100 Four wire circuit}{4}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Single Fault Modes as PLD}{4}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces PT100 Component Failure Modes}}{4}}
\newlabel{fig:pt100_tc}{{3}{4}}
\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces Voltage Divider}}{5}}
\newlabel{fig:vd}{{4}{5}}
\newlabel{eqn:vd}{{1}{5}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Proof of Out of Range \\ Values for Failures}{5}}
\newlabel{pt110range}{{3.2}{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.1} TC1 : Voltages $R_1$ SHORT }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.2} TC2 : Voltages $R_1$ OPEN }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.3} TC 3 : Voltages $R_2$ SHORT }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.4} TC : 4 Voltages $R_2$ OPEN }{6}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.5} TC 5 : Voltages $R_3$ SHORT }{6}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.6} TC 6 : Voltages $R_3$ OPEN }{6}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Summary of Analysis}{6}}
\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces PT100 Component Failure Modes}}{7}}
\newlabel{fig:pt100_tc_sp}{{5}{7}}
\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces PT100 Circuit Failure Modes : From Single Faults Analysis}}{7}}
\newlabel{fig:pt100_singlef}{{6}{7}}
\citation{mil1991}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Mean Time to Failure}{8}}
\@writefile{lot}{\contentsline {table}{\numberline {3}{\ignorespaces PT100 FMEA Single // Fault Statistics}}{8}}
\newlabel{tab:stat_single}{{3}{8}}
\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces Probablistic Fault Tree : PT100 Single Faults}}{9}}
\newlabel{fig:stat_single}{{7}{9}}
\bibstyle{plain}
\bibdata{vmgbibliography,mybib}
\@writefile{toc}{\contentsline {section}{\numberline {4} PT100 Double Simultaneous \\ Fault Analysis}{10}}

555
burner/paper.log
View File

@ -1,555 +0,0 @@
This is pdfTeXk, Version 3.141592-1.40.3 (Web2C 7.5.6) (format=pdflatex 2010.2.1) 1 APR 2010 18:16
entering extended mode
%&-line parsing enabled.
**paper.tex
(./paper.tex
LaTeX2e <2005/12/01>
Babel <v3.8h> and hyphenation patterns for english, usenglishmax, dumylang, noh
yphenation, loaded.
(/usr/share/texmf-texlive/tex/latex/base/article.cls
Document Class: article 2005/09/16 v1.4f Standard LaTeX document class
(/usr/share/texmf-texlive/tex/latex/base/size10.clo
File: size10.clo 2005/09/16 v1.4f Standard LaTeX file (size option)
)
\c@part=\count79
\c@section=\count80
\c@subsection=\count81
\c@subsubsection=\count82
\c@paragraph=\count83
\c@subparagraph=\count84
\c@figure=\count85
\c@table=\count86
\abovecaptionskip=\skip41
\belowcaptionskip=\skip42
\bibindent=\dimen102
)
(/usr/share/texmf-texlive/tex/latex/graphics/graphicx.sty
Package: graphicx 1999/02/16 v1.0f Enhanced LaTeX Graphics (DPC,SPQR)
(/usr/share/texmf-texlive/tex/latex/graphics/keyval.sty
Package: keyval 1999/03/16 v1.13 key=value parser (DPC)
\KV@toks@=\toks14
)
(/usr/share/texmf-texlive/tex/latex/graphics/graphics.sty
Package: graphics 2006/02/20 v1.0o Standard LaTeX Graphics (DPC,SPQR)
(/usr/share/texmf-texlive/tex/latex/graphics/trig.sty
Package: trig 1999/03/16 v1.09 sin cos tan (DPC)
)
(/etc/texmf/tex/latex/config/graphics.cfg
File: graphics.cfg 2007/01/18 v1.5 graphics configuration of teTeX/TeXLive
)
Package graphics Info: Driver file: pdftex.def on input line 90.
(/usr/share/texmf-texlive/tex/latex/pdftex-def/pdftex.def
File: pdftex.def 2007/01/08 v0.04d Graphics/color for pdfTeX
\Gread@gobject=\count87
))
\Gin@req@height=\dimen103
\Gin@req@width=\dimen104
)
(/usr/share/texmf-texlive/tex/latex/fancyhdr/fancyhdr.sty
\fancy@headwidth=\skip43
\f@ncyO@elh=\skip44
\f@ncyO@erh=\skip45
\f@ncyO@olh=\skip46
\f@ncyO@orh=\skip47
\f@ncyO@elf=\skip48
\f@ncyO@erf=\skip49
\f@ncyO@olf=\skip50
\f@ncyO@orf=\skip51
)
(/usr/share/texmf/tex/latex/pgf/frontendlayer/tikz.sty
(/usr/share/texmf/tex/latex/pgf/basiclayer/pgf.sty
(/usr/share/texmf/tex/latex/pgf/utilities/pgfrcs.sty
(/usr/share/texmf/tex/generic/pgf/utilities/pgfutil-common.tex
\pgfutil@everybye=\toks15
)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfutil-latex.def)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfrcs.code.tex
Package: pgfrcs 2008/02/20 v2.00 (rcs-revision 1.21)
))
Package: pgf 2008/01/15 v2.00 (rcs-revision 1.12)
(/usr/share/texmf/tex/latex/pgf/basiclayer/pgfcore.sty
(/usr/share/texmf/tex/latex/pgf/systemlayer/pgfsys.sty
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys.code.tex
Package: pgfsys 2008/02/07 v2.00 (rcs-revision 1.31)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfkeys.code.tex
\pgfkeys@pathtoks=\toks16
\pgfkeys@temptoks=\toks17
)
\pgf@x=\dimen105
\pgf@y=\dimen106
\pgf@xa=\dimen107
\pgf@ya=\dimen108
\pgf@xb=\dimen109
\pgf@yb=\dimen110
\pgf@xc=\dimen111
\pgf@yc=\dimen112
\c@pgf@counta=\count88
\c@pgf@countb=\count89
\c@pgf@countc=\count90
\c@pgf@countd=\count91
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgf.cfg
File: pgf.cfg 2008/01/13 (rcs-revision 1.6)
)
Package pgfsys Info: Driver file for pgf: pgfsys-pdftex.def on input line 885.
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
File: pgfsys-pdftex.def 2007/12/20 (rcs-revision 1.20)
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys-common-pdf.def
File: pgfsys-common-pdf.def 2007/12/17 (rcs-revision 1.8)
)))
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
File: pgfsyssoftpath.code.tex 2008/01/23 (rcs-revision 1.6)
\pgfsyssoftpath@smallbuffer@items=\count92
\pgfsyssoftpath@bigbuffer@items=\count93
)
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
File: pgfsysprotocol.code.tex 2006/10/16 (rcs-revision 1.4)
))
(/usr/share/texmf/tex/latex/xcolor/xcolor.sty
Package: xcolor 2007/01/21 v2.11 LaTeX color extensions (UK)
(/etc/texmf/tex/latex/config/color.cfg
File: color.cfg 2007/01/18 v1.5 color configuration of teTeX/TeXLive
)
Package xcolor Info: Driver file: pdftex.def on input line 225.
Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1337.
Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1341.
Package xcolor Info: Model `RGB' extended on input line 1353.
Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1355.
Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1356.
Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1357.
Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1358.
Package xcolor Info: Model `Gray' substituted by `gray' on input line 1359.
Package xcolor Info: Model `wave' substituted by `hsb' on input line 1360.
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcore.code.tex
Package: pgfcore 2008/01/15 v2.00 (rcs-revision 1.6)
(/usr/share/texmf/tex/generic/pgf/math/pgfmath.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathcalc.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathutil.code.tex
\pgfmath@box=\box26
)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathparser.code.tex
\pgfmath@stack=\toks18
\c@pgfmath@parsecounta=\count94
\c@pgfmath@parsecountb=\count95
\c@pgfmath@parsecountc=\count96
\pgfmath@parsex=\dimen113
)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathoperations.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathtrig.code.tex)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathrnd.code.tex))
(/usr/share/texmf/tex/generic/pgf/math/pgfmathbase.code.tex)))
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepoints.code.tex
File: pgfcorepoints.code.tex 2008/02/03 (rcs-revision 1.13)
\pgf@picminx=\dimen114
\pgf@picmaxx=\dimen115
\pgf@picminy=\dimen116
\pgf@picmaxy=\dimen117
\pgf@pathminx=\dimen118
\pgf@pathmaxx=\dimen119
\pgf@pathminy=\dimen120
\pgf@pathmaxy=\dimen121
\pgf@xx=\dimen122
\pgf@xy=\dimen123
\pgf@yx=\dimen124
\pgf@yy=\dimen125
\pgf@zx=\dimen126
\pgf@zy=\dimen127
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathconstruct.code.tex
File: pgfcorepathconstruct.code.tex 2008/02/13 (rcs-revision 1.14)
\pgf@path@lastx=\dimen128
\pgf@path@lasty=\dimen129
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathusage.code.tex
File: pgfcorepathusage.code.tex 2008/01/23 (rcs-revision 1.11)
\pgf@shorten@end@additional=\dimen130
\pgf@shorten@start@additional=\dimen131
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorescopes.code.tex
File: pgfcorescopes.code.tex 2008/01/15 (rcs-revision 1.26)
\pgfpic=\box27
\pgf@hbox=\box28
\pgf@layerbox@main=\box29
\pgf@picture@serial@count=\count97
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoregraphicstate.code.tex
File: pgfcoregraphicstate.code.tex 2007/12/12 (rcs-revision 1.8)
\pgflinewidth=\dimen132
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoretransformations.code.tex
File: pgfcoretransformations.code.tex 2008/02/04 (rcs-revision 1.10)
\pgf@pt@x=\dimen133
\pgf@pt@y=\dimen134
\pgf@pt@temp=\dimen135
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorequick.code.tex
File: pgfcorequick.code.tex 2006/10/11 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreobjects.code.tex
File: pgfcoreobjects.code.tex 2006/10/11 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathprocessing.code.tex
File: pgfcorepathprocessing.code.tex 2008/01/23 (rcs-revision 1.7)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorearrows.code.tex
File: pgfcorearrows.code.tex 2007/06/07 (rcs-revision 1.8)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex
File: pgfcoreshade.code.tex 2007/12/10 (rcs-revision 1.9)
\pgf@max=\dimen136
\pgf@sys@shading@range@num=\count98
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex
File: pgfcoreimage.code.tex 2008/01/15 (rcs-revision 1.1)
\pgfexternal@startupbox=\box30
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorelayers.code.tex
File: pgfcorelayers.code.tex 2008/01/15 (rcs-revision 1.1)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoretransparency.code.tex
File: pgfcoretransparency.code.tex 2008/01/17 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepatterns.code.tex
File: pgfcorepatterns.code.tex 2008/01/15 (rcs-revision 1.1)
)))
(/usr/share/texmf/tex/generic/pgf/modules/pgfmoduleshapes.code.tex
File: pgfmoduleshapes.code.tex 2008/02/13 (rcs-revision 1.4)
\pgfnodeparttextbox=\box31
\toks@savedmacro=\toks19
)
(/usr/share/texmf/tex/generic/pgf/modules/pgfmoduleplot.code.tex
File: pgfmoduleplot.code.tex 2008/01/15 (rcs-revision 1.1)
\pgf@plotwrite=\write3
)
(/usr/share/texmf/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
Package: pgfcomp-version-0-65 2007/07/03 v2.00 (rcs-revision 1.7)
\pgf@nodesepstart=\dimen137
\pgf@nodesepend=\dimen138
)
(/usr/share/texmf/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
Package: pgfcomp-version-1-18 2007/07/23 v2.00 (rcs-revision 1.1)
))
(/usr/share/texmf/tex/latex/pgf/utilities/pgffor.sty
(/usr/share/texmf/tex/generic/pgf/utilities/pgffor.code.tex
Package: pgffor 2007/11/07 v2.00 (rcs-revision 1.8)
\pgffor@iter=\dimen139
\pgffor@skip=\dimen140
))
(/usr/share/texmf/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
Package: tikz 2008/02/13 v2.00 (rcs-revision 1.27)
(/usr/share/texmf/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
File: pgflibraryplothandlers.code.tex 2007/03/09 v2.00 (rcs-revision 1.9)
\pgf@plot@mark@count=\count99
\pgfplotmarksize=\dimen141
)
\tikz@lastx=\dimen142
\tikz@lasty=\dimen143
\tikz@lastxsaved=\dimen144
\tikz@lastysaved=\dimen145
\tikzleveldistance=\dimen146
\tikzsiblingdistance=\dimen147
\tikz@figbox=\box32
\tikz@tempbox=\box33
\tikztreelevel=\count100
\tikznumberofchildren=\count101
\tikznumberofcurrentchild=\count102
\tikz@fig@count=\count103
(/usr/share/texmf/tex/generic/pgf/modules/pgfmodulematrix.code.tex
File: pgfmodulematrix.code.tex 2008/01/15 (rcs-revision 1.1)
\pgfmatrixcurrentrow=\count104
\pgfmatrixcurrentcolumn=\count105
\pgf@matrix@numberofcolumns=\count106
)
\tikz@expandcount=\count107
(/usr/share/texmf/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopat
hs.code.tex
File: tikzlibrarytopaths.code.tex 2008/01/09 v2.00 (rcs-revision 1.1)
))) (/usr/share/texmf-texlive/tex/latex/amsfonts/amsfonts.sty
Package: amsfonts 2001/10/25 v2.2f
\@emptytoks=\toks20
\symAMSa=\mathgroup4
\symAMSb=\mathgroup5
LaTeX Font Info: Overwriting math alphabet `\mathfrak' in version `bold'
(Font) U/euf/m/n --> U/euf/b/n on input line 132.
)
(/usr/share/texmf-texlive/tex/latex/amsmath/amsmath.sty
Package: amsmath 2000/07/18 v2.13 AMS math features
\@mathmargin=\skip52
For additional information on amsmath, use the `?' option.
(/usr/share/texmf-texlive/tex/latex/amsmath/amstext.sty
Package: amstext 2000/06/29 v2.01
(/usr/share/texmf-texlive/tex/latex/amsmath/amsgen.sty
File: amsgen.sty 1999/11/30 v2.0
\@emptytoks=\toks21
\ex@=\dimen148
))
(/usr/share/texmf-texlive/tex/latex/amsmath/amsbsy.sty
Package: amsbsy 1999/11/29 v1.2d
\pmbraise@=\dimen149
)
(/usr/share/texmf-texlive/tex/latex/amsmath/amsopn.sty
Package: amsopn 1999/12/14 v2.01 operator names
)
\inf@bad=\count108
LaTeX Info: Redefining \frac on input line 211.
\uproot@=\count109
\leftroot@=\count110
LaTeX Info: Redefining \overline on input line 307.
\classnum@=\count111
\DOTSCASE@=\count112
LaTeX Info: Redefining \ldots on input line 379.
LaTeX Info: Redefining \dots on input line 382.
LaTeX Info: Redefining \cdots on input line 467.
\Mathstrutbox@=\box34
\strutbox@=\box35
\big@size=\dimen150
LaTeX Font Info: Redeclaring font encoding OML on input line 567.
LaTeX Font Info: Redeclaring font encoding OMS on input line 568.
\macc@depth=\count113
\c@MaxMatrixCols=\count114
\dotsspace@=\muskip10
\c@parentequation=\count115
\dspbrk@lvl=\count116
\tag@help=\toks22
\row@=\count117
\column@=\count118
\maxfields@=\count119
\andhelp@=\toks23
\eqnshift@=\dimen151
\alignsep@=\dimen152
\tagshift@=\dimen153
\tagwidth@=\dimen154
\totwidth@=\dimen155
\lineht@=\dimen156
\@envbody=\toks24
\multlinegap=\skip53
\multlinetaggap=\skip54
\mathdisplay@stack=\toks25
LaTeX Info: Redefining \[ on input line 2666.
LaTeX Info: Redefining \] on input line 2667.
)
(/usr/share/texmf-texlive/tex/latex/amscls/amsthm.sty
Package: amsthm 2004/08/06 v2.20
\thm@style=\toks26
\thm@bodyfont=\toks27
\thm@headfont=\toks28
\thm@notefont=\toks29
\thm@headpunct=\toks30
\thm@preskip=\skip55
\thm@postskip=\skip56
\thm@headsep=\skip57
\dth@everypar=\toks31
) (../style.tex
LaTeX Font Info: Redeclaring symbol font `AMSb' on input line 34.
LaTeX Font Info: Overwriting symbol font `AMSb' in version `normal'
(Font) U/msb/m/n --> U/msb/m/n on input line 34.
LaTeX Font Info: Overwriting symbol font `AMSb' in version `bold'
(Font) U/msb/m/n --> U/msb/m/n on input line 34.
\c@examplec=\count120
\c@definitionc=\count121
\c@summaryc=\count122
\c@example=\count123
\c@definition=\count124
)
(./paper.aux)
\openout1 = `paper.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
(/usr/share/texmf/tex/context/base/supp-pdf.tex
[Loading MPS to PDF converter (version 2006.09.02).]
\scratchcounter=\count125
\scratchdimen=\dimen157
\scratchbox=\box36
\nofMPsegments=\count126
\nofMParguments=\count127
\everyMPshowfont=\toks32
\MPscratchCnt=\count128
\MPscratchDim=\dimen158
\MPnumerator=\count129
\everyMPtoPDFconversion=\toks33
)
LaTeX Font Info: Try loading font information for U+msa on input line 20.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2002/01/19 v2.2g AMS font definitions
)
LaTeX Font Info: Try loading font information for U+msb on input line 20.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2002/01/19 v2.2g AMS font definitions
) (./pt100_paper.tex
LaTeX Warning: Citation `aoe' on page 1 undefined on input line 8.
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 28.
<./pt100.jpg, id=4, 721.69624pt x 172.645pt>
File: ./pt100.jpg Graphic file (type jpg)
<use ./pt100.jpg>
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 48.
<./vrange.jpg, id=5, 296.10625pt x 485.815pt>
File: ./vrange.jpg Graphic file (type jpg)
<use ./vrange.jpg>
LaTeX Warning: `h' float specifier changed to `ht'.
[1
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map} <./pt100.jpg>]
LaTeX Warning: Citation `eurothermtables' on page 2 undefined on input line 83.
LaTeX Warning: Citation `mil1991' on page 2 undefined on input line 92.
LaTeX Warning: Citation `mil1991' on page 2 undefined on input line 108.
Package Fancyhdr Warning: \headheight is too small (12.0pt):
Make it at least 22.54448pt.
We now make it that large for the rest of the document.
This may cause the page layout to be inconsistent, however.
[2 <./vrange.jpg>]
LaTeX Warning: Reference `pt100range' on page 3 undefined on input line 152.
LaTeX Warning: Citation `aoe' on page 3 undefined on input line 160.
LaTeX Warning: Citation `eurothermtables' on page 3 undefined on input line 160
.
LaTeX Warning: Citation `eurothermtables' on page 3 undefined on input line 164
.
[3]
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 224.
<./pt100_tc.jpg, id=31, 519.9425pt x 366.36874pt>
File: ./pt100_tc.jpg Graphic file (type jpg)
<use ./pt100_tc.jpg>
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 239.
<./voltage_divider.png, id=32, 183.68625pt x 170.6375pt>
File: ./voltage_divider.png Graphic file (type png)
<use ./voltage_divider.png>
LaTeX Warning: `h' float specifier changed to `ht'.
[4 <./pt100_tc.jpg>] [5 <./voltage_divider.png>]
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 336.
<./pt100_tc_sp.jpg, id=40, 519.9425pt x 365.365pt>
File: ./pt100_tc_sp.jpg Graphic file (type jpg)
<use ./pt100_tc_sp.jpg>
LaTeX Warning: `h' float specifier changed to `ht'.
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 348.
<./pt100_singlef.jpg, id=41, 167.62625pt x 194.7275pt>
File: ./pt100_singlef.jpg Graphic file (type jpg)
<use ./pt100_singlef.jpg>
LaTeX Warning: `h' float specifier changed to `ht'.
[6] [7 <./pt100_tc_sp.jpg> <./pt100_singlef.jpg>]
LaTeX Warning: Citation `mil1991' on page 8 undefined on input line 362.
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 419.
<./stat_single.jpg, id=49, 859.21pt x 328.22626pt>
File: ./stat_single.jpg Graphic file (type jpg)
<use ./stat_single.jpg>
LaTeX Warning: `h' float specifier changed to `ht'.
[8
] [9 <./stat_single.jpg>])
No file paper.bbl.
[10
] (./paper.aux)
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
)
Here is how much of TeX's memory you used:
8241 strings out of 95086
138707 string characters out of 1183256
189938 words of memory out of 1500000
11225 multiletter control sequences out of 10000+50000
14073 words of font info for 54 fonts, out of 1200000 for 2000
28 hyphenation exceptions out of 8191
47i,12n,49p,350b,264s stack positions out of 5000i,500n,6000p,200000b,5000s
</usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmbx10.pfb></usr/share/texmf
-texlive/fonts/type1/bluesky/cm/cmbx12.pfb></usr/share/texmf-texlive/fonts/type
1/bluesky/cm/cmbx9.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmmi10.
pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmmi6.pfb></usr/share/texm
f-texlive/fonts/type1/bluesky/cm/cmmi7.pfb></usr/share/texmf-texlive/fonts/type
1/bluesky/cm/cmmi9.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr10.p
fb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr12.pfb></usr/share/texmf
-texlive/fonts/type1/bluesky/cm/cmr17.pfb></usr/share/texmf-texlive/fonts/type1
/bluesky/cm/cmr6.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr7.pfb>
</usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr8.pfb></usr/share/texmf-tex
live/fonts/type1/bluesky/cm/cmr9.pfb></usr/share/texmf-texlive/fonts/type1/blue
sky/cm/cmsl10.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmsy10.pfb><
/usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmti10.pfb>
Output written on paper.pdf (10 pages, 247678 bytes).
PDF statistics:
114 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 131072)
48 words of extra memory for PDF output out of 10000 (max. 10000000)

BIN
burner/paper.pdf
View File

Binary file not shown.

2
burner/paper.tex
View File

@ -18,7 +18,7 @@
\author{R.P.Clark} \author{R.P.Clark}
\title{PT100 FMMD analysis} \title{PT100 FMMD analysis}
\maketitle \maketitle
\input{pt100_paper} \input{burner_paper}
\bibliographystyle{plain} \bibliographystyle{plain}
\bibliography{vmgbibliography,mybib} \bibliography{vmgbibliography,mybib}

BIN
burner/pt100.dia~
View File

Binary file not shown.

12452
burner/pt100.log
View File

File diff suppressed because it is too large Load Diff

526
burner/pt100.tex.25MAR2010
View File

@ -1,526 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a wisely used industrial temperature sensor that is
are slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double simultaneous faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrasms to assist the reasoning process.
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itsself, with a set of know failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100/pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit consists of two resistors supplying
a current to a third, the thermistor or PT100. By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
current resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./pt100/vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be reffered to as {\em sense-}
and the higher as {\em sense+}.
\subsection{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons a four wire circuit is preffered
because of resistance in the cables. Resitance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate.
\subsection{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{I}{V}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distict ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
\label{fmea}
This circuit simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of his analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
The Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range 0\oc to 300\oc will be analysed using potential divider equations to
determine out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}.
\pagebreak
% \subsection{Single Fault Modes as PLD}
%
% The component~failure~modes in table \ref{ptfmea} can be represented as contours
% on a PLD diagram. Each test case, or analysis into the effects of the component failure
% caused by the component~failure is represented by an labelled asterisk.
%
%
% \begin{figure}[h]
% \centering
% \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
% \caption{PT100 Component Failure Modes}
% \label{fig:pt100_tc}
% \end{figure}
%
% This circuit supplies two results, sense+ and sense- voltage readings.
% To establish the valid voltage ranges for these, and knowing our
% valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
% valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
% for the circuit shown in figure \ref{fig:vd}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./pt100/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of ohms{100} at 0 \oc \cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{60.28}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
%\vbox{
%\subsubsection{Calculating Bounds: High Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 + 2200 2200 + p + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\vbox{
%\subsubsection{Calculating Bounds: LOW Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 2200 p 2200 + + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\subsection{Implementation of Four Wire Circuit}
%
%A standard 4 wire PT100\cite[pp 992]{aoe} circuit is read by
%ports on the 12 bit ADC of the PIC18F2523\cite{pic18f2523}.
%Three readings are taken. A reading to confirm the voltage level
%over $R_2$ is taken,
%from which the current can be determined.
%The two sense lines then give the vo
\section{Single Fault FMEA Analysis of PT100 Four wire circuit}
\subsection{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. Each test case, or analysis into the effects of the component failure
caused by the component~failure is represented by an labelled asterisk.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc}
\end{figure}
This circuit supplies two results, sense+ and sense- voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in .
\subsection{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subsubsection{ TC1 : Voltages $R_1$ SHORT }
With pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+68\Omega} = 4.85V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC 4 : Voltages $R_2$ SHORT }
With pt100 at -100\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{68\Omega}{2k2+68\Omega} = 0.15V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC : 5 Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscibed range.
\subsubsection{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc_sp.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc_sp}
\end{figure}
The PT100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./pt100/pt100_singlef.jpg}
% pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{PT100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:pt100_singlef}
\end{figure}
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ???
The PT100 analysis presents a simple result for single faults.
% OK we can look at stats here.
% the probabilities of the faults occurring in failures per billion hours
% of operation.
\subsection{Statistical MTTF for the PT100 circuit}
Mil1991\cite{mil1991} gives a mean time to failure for a fixed film resistor
at up to 60oC at a low stress (current) level as
$$0.00092 . 1.0 . 15 . 1.0 . 1000$$
13.8 failure per billion hours of operation.
RAC \cite{rac} states that a resistor will fail 9/10 OPEN and 1/10 SHORT.
So 13.8 - 1.38 OPEN
1.38 SHORT
MILL 1991 gives Thermisitors, bead $$0.21 15 1.0 1000$$
3150 failures per billion hours of operation.
Again we can apply the RAC division of resistor errors.
We can now see the six error types and see a statistical
prediction of which will occur. We can also
determine the reliability of the circuit as a whole.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
% typeset in {\Huge \LaTeX} \today
%
%\begin{table}[ht]
%\caption{PT100 Maximum and Minimum Values} % title of Table
%\centering % used for centering table
%\begin{tabular}{||c|c|c|l|l||}
%\hline \hline
% \textbf{Temperature} & \textbf{PT100 resistance} &
%\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
%\hline
%% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
%% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
% {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
% & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
% {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
% & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
%\hline
%\end{tabular}
%\label{ptbounds}
%\end{table}
%
\begin{table}[ht]
\caption{PT100 FMEA Single Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|c||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & 12.42 \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & 1.38 \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & 2835 \\ \hline
$R_3$ OPEN & High Fault & Low Fault & 315 \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & 12.42 \\
$R_2$ OPEN & High Fault & High Fault & 1.38 \\ \hline
\hline
\end{tabular}
\label{pt100_single_stats}
\end{table}
The ciruit overall has a MTTF of (13.8*2 + 3150) 3177.6
Failure in Time FIT\footnote{FIT values are measured as failures per billion ($10^9$) hours of operation}.
This gives an individual pt100 circuit of this type an MTTF of around 39 years.
Interestingly though we can now look at the results of our analysis
as a probablistic tree see figure \ref{fig:stat_single}. We can see the overall
reliability of the circuit
and we can see the most likely fault (the thermisitor going OPEN circuit).
The circuit is 8 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor this would probably
be the component area we would scrutinise first.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 856 328,keepaspectratio=true]{./stat_single.jpg}
% stat_single.jpg: 856x328 pixel, 72dpi, 30.20x11.57 cm, bb=0 0 856 328
\caption{Probablistic Tree}
\label{fig:stat_single}
\end{figure}
\clearpage
\section{ PT100 Double Simultaneous Fault Analysis}

412
burner/pt100.tex.backup
View File

@ -1,412 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a wisely used industrial temperature sensor that is
are slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double simultaneous faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrasms to assist the reasoning process.
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itsself, with a set of know failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100/pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit consists of two resistors supplying
a current to a third, the thermistor or PT100. By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
current resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./pt100/vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be reffered to as {\em sense-}
and the higher as {\em sense+}.
\subsection{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons a four wire circuit is preffered
because of resistance in the cables. Resitance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate.
\subsection{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{I}{V}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distict ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
\label{fmea}
This circuit simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of his analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_p$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
The Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and predicts an error condition in the readings.
The range 0\oc to 300\oc will be analysed using potential divider equations to
to the out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_p$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_p$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
will cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}.
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\pagebreak
\subsection{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. Each test case, or analysis into the effects of the component failure
caused by the component~failure is represented by an labelled asterisk.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc}
\end{figure}
This circuit supplies two results, sense+ and sense- voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./pt100/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of ohms{100} at 0 \oc \cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{60.28}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
%\vbox{
%\subsubsection{Calculating Bounds: High Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 + 2200 2200 + p + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\vbox{
%\subsubsection{Calculating Bounds: LOW Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 2200 p 2200 + + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\subsection{Implementation of Four Wire Circuit}
%
%A standard 4 wire PT100\cite[pp 992]{aoe} circuit is read by
%ports on the 12 bit ADC of the PIC18F2523\cite{pic18f2523}.
%Three readings are taken. A reading to confirm the voltage level
%over $R_2$ is taken,
%from which the current can be determined.
%The two sense lines then give the vo
\section{Single Fault FMEA Analysis of PT100 Four wire circuit}
\subsection{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. Each test case, or analysis into the effects of the component failure
caused by the component~failure is represented by an labelled asterisk.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc}
\end{figure}
This circuit supplies two results, sense+ and sense- voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in .
\subsection{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subsubsection{ TC1 : Voltages $R_1$ SHORT }
With pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+68\Omega} = 4.85V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC 4 : Voltages $R_2$ SHORT }
With pt100 at -100\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{68\Omega}{2k2+68\Omega} = 0.15V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC : 5 Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscibed range.
\subsubsection{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc_sp.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc_sp}
\end{figure}
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ???
The PT100 analysis presents a simple result for single faults.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
\section{ PT100 Double Simultaneous Fault Analysis}
% typeset in {\Huge \LaTeX} \today

516
burner/pt100.tex~
View File

@ -1,516 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a wisely used industrial temperature sensor that is
are slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double simultaneous faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrasms to assist the reasoning process.
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itsself, with a set of know failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100/pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit consists of two resistors supplying
a current to a third, the thermistor or PT100. By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
current resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./pt100/vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be reffered to as {\em sense-}
and the higher as {\em sense+}.
\subsection{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons a four wire circuit is preffered
because of resistance in the cables. Resitance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate.
\subsection{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{I}{V}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distict ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
\label{fmea}
This circuit simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of his analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
The Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range 0\oc to 300\oc will be analysed using potential divider equations to
determine out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}.
\pagebreak
% \subsection{Single Fault Modes as PLD}
%
% The component~failure~modes in table \ref{ptfmea} can be represented as contours
% on a PLD diagram. Each test case, or analysis into the effects of the component failure
% caused by the component~failure is represented by an labelled asterisk.
%
%
% \begin{figure}[h]
% \centering
% \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
% \caption{PT100 Component Failure Modes}
% \label{fig:pt100_tc}
% \end{figure}
%
% This circuit supplies two results, sense+ and sense- voltage readings.
% To establish the valid voltage ranges for these, and knowing our
% valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
% valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
% for the circuit shown in figure \ref{fig:vd}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./pt100/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of ohms{100} at 0 \oc \cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{60.28}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
%\vbox{
%\subsubsection{Calculating Bounds: High Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 + 2200 2200 + p + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\vbox{
%\subsubsection{Calculating Bounds: LOW Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 2200 p 2200 + + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\subsection{Implementation of Four Wire Circuit}
%
%A standard 4 wire PT100\cite[pp 992]{aoe} circuit is read by
%ports on the 12 bit ADC of the PIC18F2523\cite{pic18f2523}.
%Three readings are taken. A reading to confirm the voltage level
%over $R_2$ is taken,
%from which the current can be determined.
%The two sense lines then give the vo
\section{Single Fault FMEA Analysis of PT100 Four wire circuit}
\subsection{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram. Each test case, or analysis into the effects of the component failure
caused by the component~failure is represented by an labelled asterisk.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc}
\end{figure}
This circuit supplies two results, sense+ and sense- voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid tempperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in .
\subsection{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subsubsection{ TC1 : Voltages $R_1$ SHORT }
With pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+68\Omega} = 4.85V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC 4 : Voltages $R_2$ SHORT }
With pt100 at -100\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{68\Omega}{2k2+68\Omega} = 0.15V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC : 5 Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscibed range.
\subsubsection{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100/pt100_tc_sp.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc_sp}
\end{figure}
The PT100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./pt100/pt100_singlef.jpg}
% pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{PT100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:pt100_singlef}
\end{figure}
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ???
The PT100 analysis presents a simple result for single faults.
% OK we can look at stats here.
% the probabilities of the faults occurring in failures per billion hours
% of operation.
\subsection{Statistical MTTF for the PT100 circuit}
Mil1991\cite{mil1991} gives a mean time to failure for a fixed film resistor
at up to 60oC at a low stress (current) level as
$$0.00092 . 1.0 . 15 . 1.0 . 1000$$
13.8 failure per billion hours of operation.
RAC \cite{rac} states that a resistor will fail 9/10 OPEN and 1/10 SHORT.
So 13.8 - 1.38 OPEN
1.38 SHORT
MILL 1991 gives Thermisitors, bead $$0.21 15 1.0 1000$$
3150 failures per billion hours of operation.
Again we can apply the RAC division of resistor errors.
We can now see the six error types and see a statistical
prediction of which will occur. We can also
determine the reliability of the circuit as a whole.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
\section{ PT100 Double Simultaneous Fault Analysis}
% typeset in {\Huge \LaTeX} \today
%
%\begin{table}[ht]
%\caption{PT100 Maximum and Minimum Values} % title of Table
%\centering % used for centering table
%\begin{tabular}{||c|c|c|l|l||}
%\hline \hline
% \textbf{Temperature} & \textbf{PT100 resistance} &
%\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
%\hline
%% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
%% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
% {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
% & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
% {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
% & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
%\hline
%\end{tabular}
%\label{ptbounds}
%\end{table}
%
\begin{table}[ht]
\caption{PT100 FMEA Single Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|c||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & 12.42 \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & 1.38 \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & 2835 \\ \hline
$R_3$ OPEN & High Fault & Low Fault & 315 \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & 12.42 \\
$R_2$ OPEN & High Fault & High Fault & 1.38 \\ \hline
\hline
\end{tabular}
\label{pt100_single_stats}
\end{table}
The ciruit overall has a MTTF of (13.8*2 + 3150) 3177.6
per billion ($10^9$) hours of operation.
This gives an individual circuit a MTTF of around 39 years.
Interestingly though we can now look at the results of our analysis
as a probablistioc tree. We can see the overall reliability of the circuit
and we can see the most likely fault (the thermisitor going OPEN circuit).
The circuit is 8 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor this would probably
be the component area we would scrutinise first.

434
burner/pt100_paper.tex
View File

@ -1,434 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrams to assist the reasoning process.
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itself, with a set of known failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit uses two wires to supply small electrical current,
and returns two sense volages by the other two.
By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be reffered to as {\em sense-}
and the higher as {\em sense+}.
\subsection{Accuracy despite variable \\ resistance in cables}
For electronic and accuracy reasons a four wire circuit is preffered
because of resistance in the cables. Resistance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate.
\subsection{Calculating Temperature from \\ the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis \\ of PT100 Four wire circuit}
\label{fmea}
This circuit simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}.
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\section{Single Fault FMEA Analysis \\ of PT100 Four wire circuit}
\subsection{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100_tc.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc}
\end{figure}
This circuit supplies two results, sense+ and sense- voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Proof of Out of Range \\ Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subsubsection{ TC1 : Voltages $R_1$ SHORT }
With pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC 3 : Voltages $R_2$ SHORT }
With pt100 at 0\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ TC : 4 Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
\subsubsection{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./pt100_tc_sp.jpg}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes}
\label{fig:pt100_tc_sp}
\end{figure}
The PT100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./pt100_singlef.jpg}
% pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{PT100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:pt100_singlef}
\end{figure}
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ???
\clearpage
\subsection{Mean Time to Failure}
Using the MIL1991\cite{mil1991} specifications for resistor and thermistor
failure statistics we calculate the reliability of this circuit.
MIL1991 gives MTTF for a wide range of common components.
It does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
FMD-97 Gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. This example
compromises and uses a 90:10 ratio, for resistor failure.
Thus for this example resistors are expevcted to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to 60\oc is given a probability of 13.8 failures per billion ($10^9$)
hours of operation. This figure is referred to as a FIT\footnote{FIT values are measured as the number of failures per billion hours of operation, (roughly 1.1 Million years). The smaller the FIT number the more reliable the fault~mode}, Failure in time.
A thermistor, bead type, non military spec is given a FIT of 3150.
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\begin{table}[h+]
\caption{PT100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
TC:1 $R_1$ SHORT & High Fault & - & 12.42 \\ \hline
TC:2 $R_1$ OPEN & Low Fault & Low Fault & 1.38 \\ \hline
\hline
TC:3 $R_3$ SHORT & Low Fault & High Fault & 2835 \\ \hline
TC:4 $R_3$ OPEN & High Fault & Low Fault & 315 \\ \hline
\hline
TC:5 $R_2$ SHORT & - & Low Fault & 12.42 \\
TC:6 $R_2$ OPEN & High Fault & High Fault & 1.38 \\ \hline
\hline
\end{tabular}
\label{tab:stat_single}
\end{table}
The FIT for the circuit as a whole is the sum of MTTF values for all the
test cases. The PT100 circuit here has a FIT of 3177.6. This is a MTTF of
about 360 years per circuit.
A Probablistic tree can now be drawn, with a FIT value for the PT100
circuit and FIT values for all the component fault modes that it was calculated from.
We can see from this that that the most likely fault is the thermistor going OPEN.
This circuit is 8 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor this would probably
be the fault~mode we would scrutinise first.
\begin{figure}[h+]
\centering
\includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./stat_single.jpg}
% stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327
\caption{Probablistic Fault Tree : PT100 Single Faults}
\label{fig:stat_single}
\end{figure}
The PT100 analysis presents a simple result for single faults.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
\clearpage
\section{ PT100 Double Simultaneous \\ Fault Analysis}
% typeset in {\Huge \LaTeX} \today

BIN
burner/stat_single.dia~
View File

Binary file not shown.

BIN
burner/vrange.dia~
View File

Binary file not shown.

925
fmmdset/fmmdset_p.tex
View File

@ -1,925 +0,0 @@
% $Id: fmmdset.tex,v 1.7 2009/06/06 11:52:09 robin Exp $
%
\newcommand{\Fam}{{\mathbb F}}
\newcommand{\Pow}{{\mathbb P}}
\newcommand{\Dis}{{\vee}}
\newcommand{\Con}{{\wedge}}
\newcommand{\FMEA}{{\bowtie}}
%
\newcommand{\Nat}{{\mathbb N}}
\newcommand{\Real}{{\mathbb R}}
\newcommand{\Complex} {{\mathbb C}}
\newcommand{\Rational} {{\mathbb Q}}
%
%\newtheorem{theorem}{Thoeorem}
%
% \def\lastname{Clark}
% \begin{document}
% \begin{frontmatter}
% \title{ Failure Mode Modular De-Composition } \author{Robin Clark\thanksref{ALL}\thanksref{r.clark@energytechnologycontrol.com}}
% \address{ Energy Technology Control\\
% 25 North Street, Lewes, BN7 2PE, Great Britain}
\begin{abstract}
This chapter describes a process for analysing safety critical systems, to formally prove how safe the
designs and built -in safety measures are. It provides
the rigourous method for creating a fault effects model of a system from the bottom up using part level fault modes.
From the model fault trees,
modular re-usable sections of safety critical systems,
and accurate, statistical estimation for fault frequency can be derived automatically.
It provides the means to trace the causes of dangerous detected and dangerous undetected faults.
It is intended to be used to formally prove systems to meet EN and UL standards, including and not limited to
EN298, EN61508, EN12067, EN230, UL1998.
\end{abstract}
% \begin{keyword}
% fault~tree fault~mode EN298 EN61508 EN12067 EN230 UL1998 safety~critical
% \end{keyword}
% \end{frontmatter}
% \bibliographystyle{unsrt}
\section{Introduction}
%This paper describes the Failure Mode Modular de-Composition (FMMD) method.
% described here, models a safety critical system from the bottom up.
The purpose of the FMMD methodology is to apply formal techniques to
the assessment of safety critical designs, aiding in identifying detected and undetected faults
\footnote{Undetectabed faults
are faults which may occur but are not self~detected, or are impossible to detect by the system}.
Formal methods are just begining to be specified in some safety standards.\footnote{Formal methods
such as the Z notation appear as `highly recomended' techniques in the EN61508 standard, but
apply only to software currently}.However, some standards are now implying the handling of
simultaneous faults which complicates the scenario based approvals that are currently used.
% Some safety critical system assemesment criteria
%are statistical, and require a target failure rate per hour of operation be met \cite{EN61508}.
%Specific safety standards may apply criteria such as no single part failure in a system may lead to
%a dangerous fault.
There are two main philosophies in assessing safety critical systems.
One is to specify an acceptable level of dangerous faults per hour of operation\footnote{The probability of failure per hour (PFH)
is measured in failures per 1e-9 seconds}.
This is a statistical approach. This is the approach taken by the European safety reliability
standard EN61508 commonly referred to as the Safety Integrity Level (SIL)
standard.
The second is to specify
that any single or double part faults cannot lead to a dangerous fault in the system under consideration.
This entails tracing the effects of all part failure modes
and working out if they can lead to any dangerous faults in the system under consideration.
%For instance, during WWII after operational research teams had analysed data it was determined that
% an aircraft engine that can, through one part failure cause a catastrophic failure is an unacceptable design.\cite{boffin} .
Both of these methods require a complete fault analysis tree.%\cite{FMEA}.
The statistical method
requires additional Mean Time To Failure (MTTF) data for all part failure modes.
The FMMD methodology applies defined stages and processes that will
create a modular fault mode hierarchy. From this
complete fault analysis trees can be determined. It uses a modular approach, so that repeated sections
of system design can be modelled once, and re-used.
%formally prove safety critical
%hardware designs.
The FMMD method creates a hierarchy from
part~fault~mode level up to system level.
%It does this using
%well defined stages, and processes.
%It allows re-use of analysed modules DOH DOH DOH
%, and to create a framework where
%fault causation trees, and statistical likelihood
%of faults occurring are
When a design has been analysed using this method, fault~trees may be traversed, and statistical likelihoods of failure
and dangerous~faults can be determined from traversing the fault tree down to the MTTFs of individual parts.
%Starting with individual part failure modes, to collections of %parts (modules)
%and then to module level fault modes.
\subsection{Basic Concepts Of FMMD}
\subsubsection { What is a part ? }
A Part here means a lowest level component, an entity which can be bought and
hopefully has some statisics for MTTF and known failure modes.
Where manufacturers MTTF data is non-existant (or unverified) a guide such as MIL1992\cite{MIL1992} may be used.
Parts for approved safety critical systems under formal observance~\cite{FMproduction}
will be documented in a parts list. The `parts list' is a formal document for
both design and quality assured production.
A parts list will typically include
the manufacturers part number, guidance for placement in the system,
a functional description, vendor parts numbers
and a description. A resistor, capacitor or a microcontroller would be typical of a `part'.
A part will normally have a set of failure~modes, or ways in which it can fail. Thus a set of failure~modes
is associated with each part.
\subsubsection{ Creating a fault hierarchy}
The main idea of the methodology is to build a hierarchy of fault modes from the part
level up to highest system levels.
The first stage is to choose
parts that interact and naturally form {\em functional groups}. {Functional groups} are thus collections of parts.
%These parts all have associated fault modes. A module is a set fault~modes.
From the point of view of fault analysis, we are not interested in the parts themselves, but in the ways in which they can fail.
For this study a Module will mean a collection of fault modes.
For a module formed from a {\em functional group} this will be the collection of all fault modes of its parts.
By analysing the fault behaviour of a `module' with respect to all the fault~modes,
we can derive a new set of possible fault~modes at the module level.
This new set of faults is the set of derived faults from the module level and is thus at a higher level of
fault~mode abstraction. Thus we can say that the module as a whole entity can fail in a number of well defined ways.
In other words we have taken a functional group, and analysed how it can fail according to the failure modes of its parts.
The ways in which the module can fail now become a new set of fault modes, the fault~modes
derived from the module. What this means is the `fault~symptoms' of the module have been derived.
%When we have determined the fault~modes at the module level these can become a set of derived faults.
By taking sets of derived faults (module level faults) we can combine these to form modules
at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
as parts, parts which may now be combined to create new functional groups,
but as parts at a higher level of fault abstraction.
%Choosing small sections of the system, by choosing a collection of interacting parts we can form
%modules. These parts are collected together to form modules $M$. These modules are then
%analysed with respect to the failure modes of the parts that make them up.
%This leads to a set of fault modes for each module, the derived fault~modes $D$.
%These derived fault modes may now be used at a higher abstraction level.
%A hierarchy can be built, with each level representing a higher level of fault abstraction.
%Each part may fail in a number of ways.
We can take the levels of abstraction and view them as a hierarchy, with part level faults at the bottom.
Each time we analyse a set of fault modes, with respect to how they interact,
we get a new set of faults a higher level of fault abstraction.
At the lowest level of fault~mode abstraction is the
part failure modes. This is the hierarchy abstraction level zero. Functional~groups, collections of parts are also at
abstraction level 0. Combining derived fault modes from functional groups to form {\em modules}, will
also be at level 0.
%By deriving the fault modes for a particular module.
A set of faults derived from a `module' will be at abstraction level 1.
Thus the module, a collection of parts is analysed, and the fault symtopms of that module derived.
The act of analysing and deriving new faults raises the abstraction level.
Simple parts may have
a single failure mode, and more complex ones may have hundreds.
% Hazel 11FEB2008 said this was difficult to read
%It can be easily seen that trying to judge the effect of a single part mode failure against
%all other parts failure modes in the system would be a thankless and practically impossible task.
Were we to analyse the effect of each part failure mode against all other parts in the circuit,
we could be facing a very large task.
Modularisation allows detailed (part fault mode level) analysis of well defined functional groups within a system.
The hierarchy allows the combining of these modules to form meaningful fault represention of the system.
An example of a simple system will illustrate this.
\subsection{Example FMMD Hierarchy}
%%% This is the tikz picture ??/
%
%\begin{figure}[h+]
%\centering
%\input{mvsblock.tex}
%\caption{Block Diagram : Example Milli-Volt Sensor : Block Diagram}
%%\includegraphics[scale=0.20]{ptop.eps}
%\label{fig:mvsblock}
%\end{figure}
%
Consider a simple electronic system, that provides say two milli amplifiers
which supplies these onward via serial link - RS232. This is simple in concept, plug in a
computer, run a terminal prgram, and the instrument will report the milli volt readings in ASCII
with any error messages.
% in CRC checksum protected packets.
It is interesting to look at one of `functional groups'. The millivolt amplifiers are a good example.
These can be analysed by taking a functional~group, the components surrounding the op-amp,
a few resistors to determine offset and gain,
a safety resistor, and perhaps some smoothing capacitiors.
These components form the functional group. The circuit is then analysed for all the fault combinations
of these parts. This produces a large collection of possible fault~modes for the milli-volt amplifier.
The two amplifiers are now connected to the ADC which converts the voltages to binary words for the microprocessor.
The microporessor then uses the values to determine if the readings are valid and then formats text to send
via the RS232 serial line.
\begin{figure}[h+]
%\centering
%\input{millivolt_sensor.tex}
\includegraphics[scale=0.4]{millivolt_sensor.eps}
\caption{Hierarchical Module Diagram : Milli-Volt Sensor Example}
\label{fig:mvs}
\end{figure}
This has a number of obvious functional~groups, the PCB power supply, the milli-volt amplifiers,
the analog to digital conversion circuity, the micro processor and the UART (serial link - RS232 transceiver).
It would make sense when analysing this system to take each one of these functional~groups in turn and examine them closely.
It would be sensible if the system could detect the most obvious fault~modes by self testing.
When these have been examined and diagnostic safeguard strategies have been thought up,
we might look at reporting any fault via the RS232 link.
% (if it still works !).
By doing this we have already used a modular approach.
We have analysed each section of the circuitry,
and then using the abstract errors derived from each module,
can fit these into a picture of the
fault~modes of the milli-volt monitor as a whole. However this type of analysis is not guaranteed
to rigourously take into account all fault~modes.
It is useful to follow an example fault though levels of abstraction hierarchy however, see below.
%The FMMD technique,
%goes further than this by considering all part fault~modes and
%places the analysis phases into a rigid structure.
%Each analysis phase is
%described using set theory in later sections.
%By creating a rigid hierarchy, not only can we traverse back
%down it to find possible causes for system errors, we can also determine
%combinations of fault modes that cause certain high level fault modes.
%For instance, it may be a criteria that no single part failure may cause a fatal error.
%If a fault tree can trace down to a single part fault for a potentially fatal
%fault mode, then a re-design must be undertaken.
%Some standards for automated burner controllers demand that two part failure modes cannot cause
%a dangerous/potentially fatal error. Again having a complete fault analysis tree will reveal these conditions.
\subsection{An example part Fault and its subsequent \\ abstraction to system or top level}
An example of a part fault effect on the example system is given below, showing how this fault
manifests itself at each abstraction level.
%\begin{example}
As an example let us consider a resistor failure in the first milli-volt sensor.
Let us say that this resistor, R48 say, with the particular fault mode `shorted'
causes the amplifier to output 5V.
At the part level we have one fault mode in one part.
%This is the lowest or zero level of fault abstraction.
Let us say that this amplifier has been designed to amplify the milli-volt input
to between 1 and 4 volts, a convenient voltage for the ADC/microcontroller to read.
Any voltage outside this range will be considered erroneous.
As the resistor short causes the amplifier to output 5V we can detect the error condition.
This resistor is a part in the `millivolt amplifier 1' module.
% (see figure \ref{fig:mvs}).
The fault mode at the derived fault level (abstraction level 1) is OUTPUT\_HIGH.
Looking higher in the hierarchy, the next abstraction level higher, level 2, will see this as
a `CHANNEL\_1' input fault.
%The system as a whole (abstraction level 3) will see this as
%a `MILLI\_VOLT\_SENSOR' fault~mode.
%\end{example}
\subsubsection{Abstraction Layer Summary \\ for example fault.}
\begin{description}
%\begin{list}
\item[Abstraction Level 0 :] Resistor has fault mode `R48\_SHORT' in amplifier 1.
\item[Abstraction Level 1 :] Amplifier 1 has fault mode `OUTPUT\_HIGH'.
\item[Abstraction Level 2 :] Milli-volt sensor has `CHANNEL\_1' fault.
%\item[Abstraction Level 3 :] System has `MILLI\_VOLT\_SENSOR' fault.
%\end{itemize}
%\end{list}
\end{description}
Thus we have looked at a single part fault and analysed its effect from the
bottom up on the system as a whole, going up through the abstraction layers.
\subsubsection{Fault Abstraction Level}
\label{fal}
Let the fault abstraction level mean the number of times an element of a system
has been transformed by applying fault modes effects analysis. In the example above
the error becomes more abstract, each time we zoom out and consider the effects of
the fault on more generalised sections of the system.
\section{ Fault Modes and Collections }
A safety critical system is usually a collection of highly specified interacting parts.
These are
documented in a 'parts list', which is taken to define to the standards
agencies the authorised parts that will be used for a particular approved product.
This is an important document, used in an official sense, by standards agency
inspectors, often to validate production processes.
\begin{definition}
Let $L$ be the index set for a given system.
Let $p$ denote a part in the `parts~list' $ P_L = \{ \; p_l \; | \; l \; \in \; L \; \} $
Thus $P_L$ represents a set of all parts in a safety critical product.
\end{definition}
{\em
Should this be a list instead ?
$ P_L = < \; p_1..L \; | \; p_l \; \in \; P_L \; > $
}
All parts in a safety critical system have known
`fault~modes'.
A fault~analysis function $fa$ may be applied to a part part $p$
returning a set of `fault~modes'.
\begin{definition}
Let the set $D^{a}_{l}$ represent a set of derived fault~modes.
where $a$ represents the abstraction level, and $l$ is an index to the part that gives rise to these fault modes.
A superscript of $0$ indicates that the fault~modes have been derived from
the lowest abstraction level, the parts~level.
%Let $K_p$ be the set of possible fault~modes for a given part `$p$',
%Let $p$ denote a part in the `parts~list' indexed by the variable l, $ PL = \{ {p}_{l} | l \in L \} $
%Thus PL represents a set of all parts in the system.
\end{definition}
\begin{definition}
\label{func:fa}
$$ fa(p_l) = \{ f_1, f_2, f_3 ... f_n \} = D^{0}_{l} $$
where $f_1...f_n$ represent part fault modes for the part $p_l$.
The fault~modes corresponding to part $p_l$ are represented by the set $ D^{0}_{l}$.
\end{definition}
%\begin{example}
For instance were part number 48 in a parts~list to be a wire wound resistor
applying fault analysis
would derive two fault conditions, open and short.
$$ fa(p_{48}) = \{ OPEN_{48}, SHORT_{48} \} = D^{0}_{48}$$
\label{disjointnotcare}
%\end{example}
\subsection { Defining an entire system \\ as a family of fault modes}
As a thought experiment, let us consider an entire system in terms of all its fault modes.
So without breaking a circuit into modules or chunks or whatever, just consider all the fault modes of all the components in a system.
One way of analysing a system would be to take each part fault mode
in turn and then to determine its effect on the system as a whole.
This means taking a particular part fault mode and checking its effects upon every other component in the system.
\begin{definition}
\label{func:s0}
Let $S^{0}$ be a family of sets of part~faults, for all parts in the parts list
\label{systemlevel0}
$$ {S^{0}} = \{ \; D^{0}_{l} \; | \; l \; \in \; L \; \} $$
which is the same as saying
$${S^{0}} = \{ fa(x) | x \in P_{L} \} $$
\end{definition}
The entire set of all part `fault~modes' for a complete system $S^{0}$, can be defined
by a family of all part fault~mode sets $D^{0}_{s}$, indexed by s with L as the index set.
$S^0$ then represents all the fault modes of all the parts in the system we are analysing.
We could analyse this circuit by taking each part~fault~mode and working out what effect it will have on the system as a whole.
This would be analysing the system from the perspecive of the effect of single part failures.
We could go further and take all combinations of double simultaneous faults possible
and examine their effect on the system.
%\begin{equation}
%\label{systemlevel0}
% {S^{0}} = \{ \; K^{0}_{l} \; | \; l \; \in \; L \; \} = \{ fa(x) | x \in P_{L} \}
%\end{equation}
%
%-OR- In terms of the parts~list, parts transformed to set $K$ by function`$fa$' all exist in $S^0$
%$$ \forall x \{ x \in PL | fa(x) \in S^{0} \}$$
%
To completely analyse the effect of all part failure modes we would
need to consider their affects in all combinations. In other words we
would have to look at each fault~mode and then see how it affected every other component in the system
and then work out what effect that would have on the entire system.
Checking every combination of fault~modes corresponds to the power set of the union of the set in $S^0$
(using $ \mathcal{P} $ to represent the power set, and $(\bigcup {S^0})$ to mean flattening the family of sets).
$$ AllcombinationsofPartFaults = \mathcal{P} ({\bigcup}_{l \in L} D^{0}_{l}) = \mathcal{P} (\bigcup {S^0}) $$
%where $ \cup \mathcal{F}S = \{ x | \forall A \in \mathcal{F}(x \in A) \} = \{x|\forall A ( A \in \mathcal{F} \rightarrow x \in A) \} $
That is to say, checking for all the part faults in the system, in all combinations.
% (including the empty set)
Taking the power set $ \mathcal{P} $ of the union of the family $S^0$, i.e. $ \mathcal{P} (\bigcup {{S}^{0})} $, would give us all possible
combinations of part faults in the system.
% Get the formula from the 2004 paper done with JEAN
\begin{example}A typical circuit board with say 1000 parts each of which have
say, 5 error modes, would mean $S^0$ would have 5000 elements.
Thus, to check for the effect of single part failure modes would entail 5000 checks against 999
parts.
To check for all double failures $(5000-1)^2*998$
To check all possible combinations of failure modes,
would lead to an astonishing number part~failure~modes to check ($2^{5000}$).
A full check at the part fault mode level is therefore impractical.
\end{example}
\subsection{Reducing the Power set combinations}
It would be much better if we could break the problem down into manageable chunks,
analyse the behaviour of the chunks and then combine them, with other fundtional~groups,
that have been analysed.
In this way we could build a hierarchy of modules with analysis phases
leading to an eventual model of the entire system.
\begin{definition}
Let $F$ be a functional group of components within a system.
A `functional~group' once identified will be a sub-set of the parts~list $P_L$.
$ F \subseteq P_L $
\end{definition}
A {\em functional group} defined from the parts is at the zero'th level of abstraction.
The {\em functional group} is a collection: no analysis has been applied
and it therefore is a group at zero level fault abstraction.
To indicate this it will be given a superscript of 0.
There may be a large number of functional~groups identified at this stage.
An index will be used as a subscript to identify them. Thus $F^{0}_{4}$ would be the fourth
identified functional group.
\begin{example}
Looking at the milli-volt sensor in figure~\ref{fig:mvs},
we can easily identify the milli-volt amplifier as a functional group.
It has a small number of components and one specific well defined job.
That is to amplfy a milli volt signal to within a given range and to
pass this on to another functional group to read it (the ADC).
\end{example}
The functional group as a list of parts is not directly useful. If we define a function
`$fm$` that translates a set of parts (functional~group) into a corresponding family of
fault~mode sets, these can be used for further analysis.
These families of fault mode sets are termed `modules'.
%Using the function $\#$ to represent cardinality thus $\#(A) = Cadinality(A)$.
\begin{definition}
Let $M^{a}_{n}$ represent a family of derived fault modes
corresponding to the functional group $F^{a}_{n}$, where $a$ represents the abstraction level
and $n$ is an index.
\end{definition}
The set $M^{0}_{n}$ is a family of fault~modes corresponding to the {\em functional group}
$F^{0}_{n}$, where the superscript $a$, represents the
hierarchy/abstraction level, and $n$ corresponds to the functional group index.
\begin{definition}
\label{func:fm}
The function fm translates a set of parts to a set of corresponding fault~modes
$$fm: F^{0}_{n} \rightarrow M^{0}_{n} $$
or
$$ M^{0}_{n} = \{ fa(p) | p \in F^{0}_{n} \} $$
%
% completeness not necessaary with cardinality of sets as it iterates over whole parts list
% $$ fm( M^{a}_{n} ) = \forall x \{ x | ( x \in M^{a}_{n} \rightarrow ( fa(x) \in K^{a}_{n} ) \Con ( \#(M^{a}_{n}) = \#(K^{a}_{n} ) ) \}$$
%
\end{definition}
\begin{summary}
Beginning with the
individual parts, we have combined these to functional~groups.
These functional groups have been converted into a family of corresponding sets of fault~modes (modules).
The next stage is to perform fault~mode~effect~analysis to determine the ways in which the `module' can fail.
Or in other words a set of faults at the `module'
level : i.e. a higher level of fault~mode abstraction.
\end{summary}
\section { FMEA : Fault Mode Effect Analysis }
Fault mode effects analysis, is the process of looking at a module and determining how it will fail
according to different scenarios of part failures.
This can be in the nature of a thought experiment (for instance looking an an electronic circuit,
we might say what happens if this resistor goes open etc),
or could be based on empirical data. However the results gathered would always be subject to
the scrutiny and approval of any standards agency they would be submitted to\footnote{Some standards are now listing common electronic parts with associated fault~modes that must be considered for
the approval process \cite{EN61508}.}. Often in an approval process, the approval agencies will talk through fault scenarios and require that manufacturers defend against potential part faults. This is on the basis of experience and knowledge of the type of
system under analysis. It is not necessarilly a rigourous or mathematically complete process.
%This analysis needs to be performed by an expert
%for the system under scrutiny.
%\begin{definition} A module is a family of sets of `fault modes' of parts (eqn \ref{module}).\end{definition}
By looking at how the part fault~modes within a module interact; and then
analysing the scenario for every fault~mode combination, we can determine a new set of fault~modes, fault~modes
from the perspective of the module.
\begin{definition}
Let $D^{a+1}_{n}$ be the set of fault~modes derived from a module $M^{a}_{n}$.
A superscript will define the abstraction level and a subscript the module index.
Note that the act of deriving fault~modes from a module, raises the abstraction level.
\end{definition}
\begin{definition}
Let the symbol $\FMEA$ mean `fault mode effects analysis'. This will translate a set family $M$ into a corresponding set $D$.
i.e. $ \bowtie: M^{a}_{n} \mapsto D^{a+1}_{n}$ The $\bowtie$ operation has the effect of raising the fault abstraction level.
\end{definition}
%Each module analysed map to a derived set
%which will have the same subscript and index.
%A module at abstraction level 0, can be mapped
% to a derived set by applying $\FMEA$ to the M set thus:
\begin{equation}
\label{derive0}
D^{1}_{N} \; = \FMEA({\cal P} \; \bigcup \; M^{0}_{N}) = \FMEA({\cal P} \; \bigcup \; fm (F^{0}_{N}) \; )
\end{equation}
The set $ D^{1}_{N} $ is the set of errors derived from the Nth module at abstraction level 0.
$D^1_{n}$ sets derived in this way, could now be used in the same way as the $D^0_n$ sets were in the last example,
but at a higher level of abstraction. Thus one or more $ D^{1}_{N} $ sets can be combined
to form a $M^1_{n}$ set i.e.
\begin{example}
For example, we could build a first level $M$ set from three first level module derived fault modes, say
$ D^{1}_{1}, D^{1}_{4}, D^{1}_{7}$.
$$ M^{1}_{N} = \{ D^{1}_{1}, D^{1}_{4}, D^{1}_{7} \} $$
This $ M^{1}_{N} $ set may now be subjected to FMEA and will return a set of derived fault~modes at the second level of hierarchy thus
\begin{equation}
D^{2}_{N} \; = \FMEA({\cal P} \; (\bigcup \; M^{1}_{N}))
\end{equation}
This may continue up until the hierarchy is complete, with the fault~modes becoming more and
more abstract as the hierarchy gets higher. The top of the hierarchy will be a set of derived
fault modes, representing the system fault modes.
\end{example}
\subsection{The FMEA Process}
In practise the combinations of fault modes to be analysed are placed on a
matrix, and the fault effect is determined for each combination under scrutiny.
It may be found that one or more combinations of part fault~modes will lead to the same module
level fault~mode. The means that the module could fail in the same way due to a variety of causes,
and this fact will be useful later for determining fault trees. But more importantly, it means that the number
of fault conditions for a module should be smaller than the sum of all the part error conditions
in the module.
\subsection{ Practical limits for the number \\ of fault mode combinations to \\ consider within a module}
It may not be deemed necessary to analyse all scenarios from the power-set of an $M$ set.
Some European standards will only consider one part fault at a time for analysis
and stricter ones\ref{en298} imply checking for double simultaneous faults. Statistically it
becomes very unlikely to have more than two parts fail suddenly and
European\ref{en298} and North American\ref{UL1998} standards reflect this belief.
To express this formally we can use a cardinality restricted powerset see \ref{ccp}
Thus for considering single part fault modes only, equation \ref{derive0} becomes
$ D^{2}_{N} \; = \FMEA({\cal P}_1 \; (\bigcup \; M^{1}_{N}))$
And for considering double and single fault modes $ D^{2}_{N} \; = \FMEA({\cal P}_2 \; (\bigcup \; M^{1}_{N}))$.
{\em NOTE: need proof here of how this translates UP the hierarchy, because as it goes UP
only more error sources can be included in the fault tree NOT LESS OK need the express this formally maybe}
%Collecting the derived fault modes is thus important.
The FMEA process can be represented visually, by making part fault modes contours and scenario test
cases points. Points which have the same module level fault~mode can now be joined by lines.
%Although this looks very much like a spider diagram, but it would be misleading to think of it so.
Note this is not a diagram representing sets. The Euler diagram here
is being used to represent logical conditions.
Each collection of test~cases joined by line(s) is a derived fault mode at the module level.
\subsection{FMEA Diagram : Definition of Symbols}
%\begin{figure}[t+]
%\centering
%\epsfig{file=cimg5043fmmd_spider.eps, width=\textwidth}
%\caption{ FMEA Diagram : Example Incomplete Analysis }
%\label{fig:sdfmea}
%\end{figure}
\begin{figure}
\centering
\input{fmea_diagram.tex}
\caption{FMEA Diagram : Example Incomplete Analysis}
\label{fig:sdfmea}
\end{figure}
When viewed as an FMEA diagram, each part fault mode would become a contour.
Each (asterisk `*') represents test~case corresponding to a combination of fault~modes within the module.
Overlapping contours represent the occurrence of simultaneous faults (i.e. all the fault modes
corresponding to contours are considered active for the test case).
\begin{summary}
\begin{itemize}
\item Test cases are represented by `*' marks.
\item Conjuction of fault~modes (i.e. simultaneous faults) are represented by overlapping regions of contours.
\item Lines joining test cases mean the test cases cause the same fault at the module or $M$ set abstraction level.
\end{itemize}
\end{summary}
{\em TO DO: well formness and specific rules for FMEA diagrams}
\subsection {Example FMEA process using an FMEA diagram}
Consider a simple functional~group $ F^0_1 $ derived from two parts $p1,p2$.
Applying fault analysis to these parts gives sets of corresponding fault modes
(where $D^0_p$ is the set of fault modes for the part $p$,
and the individual fault modes use an indexed lower case $f$
with the part number with a post fixed fault type, here a..z).
$$ fa(p1) = \{ f_{p1a}, f_{p1b}, f_{p1c} \} = D^0_{p1} $$
$$ fa(p2) = \{ f_{p2a}, f_{p2b} \} = D^0_{p2} $$
Applying the `$fm$' function defined in (\ref{func:fm}) to the functional group $F$
gives an $M$ set. This is a module that we can use for fault behaviour analysis.
$$ fm( F_{1}^{0} ) = M_{1}^{0} = \{ D^0_{p1}, D^0_{p2} \} $$
Note the definition of the Union of this family is
$$ {\bigcup}{M_1^0} = \{ f_{1a}, c_{1b}, f_{1c}, f_{2a}, f_{2b} \} $$
To analyse the effects of the fault~modes on the module, we first take the power set of the union of this family
$$ \mathcal{P} ({\bigcup}{M_1^1}) = \mathcal{P} \{ f_{1a}, f_{1b}, f_{1c}, f_{2a}, f_{2b} \} $$
The Power-set returns all possible combinations of faults. In this case it would be $2^5$ number of combinations to check.
We could restrict the cardinality of the powersets and reduce the complexity level.
For this we can use a restricted cardinality powerset (see \ref{ccp}).
If we restrict our search to single faults and double simultaneous faults $\mathcal{P}_{2}$, we can use a two dimensional
Euler\footnote{Euler diagrams are here not used to represent sets, but are used to represent boolean logic conditions}
diagram to represent this. In this Euler diagram, for simplicity, only 5 test cases
have been analysed (see figure \ref{fig:sdfmea}).
For the purposes of this example it has been decided that some combinations of part faults, cause the same module level error.
Where this happens test~cases are joined by lines to indicate that they cause the same fault
(from the module or $M^a_n$ set perspective).
The single point $f2$ represents a module fault mode caused by the
combined part failures of $ f_{p2b}$ and $f_{p1a}$.
As an equation
$$f2 \rightarrow f_{p2b} \Con f_{p1a} $$
Two pairs of test cases cause the same module level error.
$f1$ and $f3$, are both joined to two test cases by connecting lines.
The module level fault mode $f1$ was caused by either fault~mode $c_{1b}$ or by
the combination of $f_{p1c} \Con f_{p2b}$.
As an equation
$$f1 \rightarrow f_{p1b} \Dis (f_{p1c} \Con f_{p2b}) $$
Similarly the logical causes for $f3$, are
$$f3 \rightarrow ( ( f_{p1a} \Con f_{p2a} ) \Dis ( f_{p1b} \Con f_{p2a} ) ) $$
or simplifying by distributive law
$$f3 \rightarrow ( f_{p2a} \Con ( f_{p1b} \Dis f_{p2a} ) ) $$
All joined test cases and individual test cases, discovered during the FMEA process,
can now be considered
to be derived fault modes for the module.
Thus:
$$ D^{1}_{1} = \FMEA ({\bigcup}{M^{0}_{1}}) = \FMEA {\cup} fm({F^{0}_{1}}) = \{ f1, f2, f3 \} $$
$ D^{1}_{1} $ is now a set of fault~modes for the module. We can now
treat this in the same way we treated the part fault mode sets ($M^{0}_{n}$),
and take several derived ( $ D^{1}_{n} $) sets and combine them to form higher level modules.
This is like considering the derived set to be a part, but a part at a higher level of abstraction.
The process can then continue until up in abstraction levels until we have a complete hierarchical model.
Note for the purpose of reducing clutter from this example we are ignoring the other test cases. A full analysis would include
all test cases.
\begin{figure}
\centering
\input{fmmdh.tex}
\caption{FMMD example Hierarchy}
\label{fig:sdfmea}
\end{figure}
\section {Building the Hierarchy - Higher levels \\ of Fault Mode Analysis}
Figure \ref{fig:fmmdh} shows a hierarchy of failure mode descopmosition.
It can be seen that the derived fault~mode sets are higher level abstractions of the fault behaviour of the modules.
We can take this one stage further by combining the $D^{1}_{N}$ sets to form modules. These
$M^2_{N}$ fault mode collections can be used to create $D^3_{N}$ derived fault~modes sets and so on.
At the top of the hierarchy, there will be one final (where $t$ is the
top level) set $D^{t}_{N}$ of abstract fault modes. The causes for these
system level fault~modes will be traceable down to part fault modes.
A hierarchy of levels of faults becoming more abstract at each level should
converge to a small sub-set of system level errors.
This thinning out of the number of system level errors is borne out in practise ;
real time control systems often have a small number of major reportable faults (typically $ < 50$),
even though they may have accompanying diagnostic data.
\cite{sem}
%\begin{figure}
%\subfigure[Euler Diagram]{\epsfig{file=fmmd_hierarchy_cimg5040.eps,width=4.2cm}\label{fig:exa}}
%\subfigure[Intersection A B ]{\epsfig{file=exampleareasubtraction2.eps,width=4.2cm}\label{fig:exb}}
%\subfigure[area to subtract]{\epsfig{file=exampleareasubtraction3.eps,width=4.2cm}\label{fig:exc}}
%\subfigure[A second graphic]{\epsfig{file=exampleareasubtraction3.eps,width=2cm}}
%{\epsfig{file=fmmd_hierarchy_cimg5040.eps,width=12cm}
%\label{fig:ex}
%\caption{Simple Euler Diagram}
%\end{figure}
\cite{sem}
\section {Modelling considerations}
\subsection{FMEA diagramatic syntax and Well Formedness }
{\em TO DO RULES AND MEANING}
\subsection{The Parts List, Set or Bag}
The Parts list is indexed by the set $L$ to ensure all parts are unique.
Thus Set suffices and no bags required.
\subsection{The Empty Set}
Note that any power~set will always include the empty set.
Thus $\emptyset \in ({\cal P} \cup {\cal F}S)$ corresponds to the
state where there are no active errors in any of the parts
in the system i.e. it is in correct operational state.
$$ CorectOperationalState = \emptyset \in ({\cal P} \cup {\cal F}S) $$
This simply says that where no part fault modes are active the system must be functioning correctly.
If this is not the case, then all part~fault modes have not been considered.
\subsection{Complete Coverage of Fault Modes }
To ensure that all fault modes are represented, each fault mode from
the union all subsets of $S$ ($\cup {S}$) must be represented by a first
level module.
$$ CompleteCoverage = \forall \; x \exists \; y \; ( \; x \; \in \; (\bigcup \; S) \; \Rightarrow \; x \; \in \; (\bigcup \; D^{1}_{y}) ) $$
That is to say that where a fault~mode exists in the system, it must be
included in at least one module.
Were it not to be we would have a fault~condition that was not modelled.
The $CompleteCoverage$ check would not ensure that the modules had been
identified correctly, but would ensure that there were no missing
fault~modes, and acts as a type of syntax check.
Note also, that this means the modules could share parts
(although this would be unusual in practise).
\subsection{ Part Fault modes Conjoint and Disjoint }
Note that in the example (\ref{disjointnotcare}) the part fault modes are disjoint, the resistor cannot be both open and shorted
at the same time. Not all part fault modes are disjoint, however. Consider a complicated part
like a micro~processor. This could easily have more than one fault~mode active.
\section {notes}
\subsection{ The Parts List }
A parts list is typically a document with an enumerated list of parts.
Each part includes a description, placement information, manufacturers part number and optional comments and vendor sourcing numbers.
It is a document tied to a particular hardware revision of a product, and is used for the procurement of parts
and as a cross check for inspectors from standards agencies.
{\em NEED EXAMPLE PARTS LIST HERE....}
\subsection{ Proof of number of part~failure \\ modes preserved in hierarchy build}
Here need to prove that if we have an abstract fault, then as it goes higher in the tree, it can only collect MORE not less
actual part~failure modes. This is obvious but needs a proof.
Also this means may need dummy modules to not violate jumping up the tree structure
%Complete coverage for all derived hierarch levels can be generalised thus:
%$$ CompleteCoverage = \forall \; h \; \forall \; x \exists \; y \; ( \; x \; \in \; \cup \; {\cal F} \; D^{h}
% \; \Rightarrow \; x \; \in \; \cup \; M^{h}_{y} ) $$
\subsection{Cardinality Constrained Powerset }
\label{ccp}
A Cardinality Constrained powerset is one where sub-sets of a cardinality greater than a threshold
are not included. This theshold is called the cardinality constraint.
To indicate this the cardinality constraint $cc$, is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
Consider the set $S = \{a,b,c\}$. $\mathcal{P}_{2} S $ means all subsets of S where the cardinality of the subsets is
less than or equal to 2.
$$ \mathcal{P} S = \{ 0, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$
$$ \mathcal{P}_{2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} $$
$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$
A $k$ combination is a subset with $k$ elements.
The number of $k$ combinations (each of size $k$) from a set $S$
with $n$ elements (size $n$) is the binomial coefficient
$$ C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!}$$
To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each comination sub-set,
we need to sum the combinations,
%subtracting $cc$ from the final result
%(repeated empty set counts)
from $1$ to $cc$ thus
%
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
%
$$ \#\mathcal{P}_{cc} S = \sum^{k}_{1..cc} \frac{\#S!}{k!(\#S-k)!} $$
\section{Future Ideas}
\subsection{ Production Quality Control }
Having a fault causation tree, could be used for PCB board fault finding (from the fault codes that are reported
by the equipment). This could be used in conjunction with a database to provide
Production oriented FMEA\footnote{The term FMEA applied to production, is a statistical process of
determining the probability of the fault occurring and multiplying that by the costs incurred from the fault.
This quickly becomes a priority to-do list with the most costly faults at the top}
\subsection { Test Rigs }
Test rigs apply a rigourous checking process to safety critical equipment before
they can be sold, and this usually is a legal or contractural requirement, backed up by inspections
and and an approval process.
They are usually a clamp arrangement where the PCB under test is placed.
Precesion and calibrated test signals are then applied to the board under test. For PCBs containing
microprocessor, custom test~rig software may be run on them to excersize
active sections of the PCB (for instance to drive outputs, relays etc).
The main purpose of a test rig is to prevent fault equipment from being shipped.
However, often a test rig, will reveal an easy to fix fault on a board (such as a part not soldered down completely
or missing parts). These boards can be mended and re-submitted to the test rig.
It is often a problem, when a unit fails in a test rig, to quickly determine why it has failed.
Having a fault causation tree, would be useful for identifying which parts may be missing, not soldered down
or simply incorrect. The test rig armed with the fault analysis tree could point to parts or combinations of parts that could be checked
to correct the product.
\subsection {Modules - re-usability}
In the example system in the introduction, the milli-volt amplifiers
are the same circuit. The set of derived faults for the module may therefore
simply be given a different index number and re-used.
\subsection{ Multi Channel Safety Critical Systems }
Where a system has several independent parrallel tasks, each one can be a separate hierarchy.
% \small
% \bibliography{vmgbibliography,mybib}
% \normalsize
% Typeset in \ \ {\huge \LaTeX} \ \ on \ \ \today
\begin{verbatim}
CVS Revision Identity $Id: fmmdset.tex,v 1.7 2009/06/06 11:52:09 robin Exp $
\end{verbatim}
%\end{document}
%\theend

10
introduction/introduction.tex
View File

@ -214,6 +214,13 @@ As the automation takes over more and more functions from the human operator it
A classic example of an automated system failing, is the therac-25. A classic example of an automated system failing, is the therac-25.
This was an X-ray dosage machine, that, due to software errors This was an X-ray dosage machine, that, due to software errors
caused the deaths of several patients and injured more during the 1980's. caused the deaths of several patients and injured more during the 1980's.
The Therac-25 was a designed from a manual system, which had checks and interlocks,
and was computerised. Software bugs were the primnary causes of the radiation
overdoses.
\cite{therac}
Any new safety critical analysis methodology should
be able to model software, electrical and hardware faults using
a common notation.
% http://en.wikipedia.org/wiki/Autopilot % http://en.wikipedia.org/wiki/Autopilot
@ -402,7 +409,8 @@ temperature being the most typical. Very often what happens to the system outsid
\section{Project Goals} \section{Project Goals}
\begin{itemize} \begin{itemize}
\item To create a Bottom up FMEA technique that is modular and permits a linked hierarchy to be build representing the fault behaviour of a system. \item To create a Bottom up FMEA technique that is modular and permits a linked hierarchy to be
build representing the fault behaviour of a system.
\item To create a user friendly formal common visual notation to represent fault modes \item To create a user friendly formal common visual notation to represent fault modes
in Software, Electronic and Mechanical sub-systems. in Software, Electronic and Mechanical sub-systems.
\item To formally define this visual language. \item To formally define this visual language.

399
introduction/introduction.tex~
View File

@ -1,399 +0,0 @@
\section{Introduction}
$$ \int_{0\-}^{\infty} f(t).e^{-s.t}.dt \; | \; s \in C$$
This thesis describes the application of, mathematical (formal) techniques to
the design of safety critical systems.
The initial motivation for this study was to create a system
applicable to industrial burner controllers.
The methodology developed was designed to cope with
both the specific `simultaneous failures'\cite{EN298},\cite{EN230},\cite{EN12067}
and the probability to dangerous fault approach\cite{EN61508}.
The visual notation developed was initially designed for electronic fault modelling.
However, it could be appleid to mechanical and software domains as well.
Due to this a common notation/diagram style
can be used to model any integrated safety relevant system.
\section{Safety Critical Systems}
\subsection{General description of a Safety Critical System}
A safety critical system is one in which lives may depend upon it or
it has the potential to become dangerous.
(/usr/share/texmf-texlive/tex/latex/amsmath/amstext.sty
An industrial burner is typical of plant that is potentially dangerous.
An incorrect air/fuel mixture can be explosive.
Medical electronics for automatically dispensing drugs or maintaining
life support are examples of systems that lives depend upon.
\subsection{Two approaches : Probablistic, and Compnent fault tolerant}
There are two main philosophies applied to safety critical systems.
One is a general number of acceptable failure per hour of operation.
This is the probablistic approach and is embodied in the european standard
EN61508 \cite{EN61508}.
The second philosophy, applied to application specific standards, is to investigate
components ior sub-systems in the critical safety path and to look at component failure modes
and ensure that they cannot cause dangerous faults.
With the application specific standards detail
specific to the process are
This philosophy is first mentioned in aircraft safety operation reseach WWII
studies. Here potential single faults (usually mechanical) are traced to
catastrophic failures
% \cite{boffin}.
%
% \begin{example}
% \label{exa1}
% Test example
% \end{example}
%
% And that is example~\ref{exa1}
\subsection{Overview of regulation of safety Critical systems}
reference chapter dealing speciifically with this but given a quick overview.
\subsubsection{Overview system analysis philosophies }
- General safety standards
- specific safety standards
\subsubsection{Overview of current testing and certification}
ref chapter speciiffically on this but give an overview now
\section{Background to the Industrial Burner Safety Analysis Problem}
An industrial burner is a good example of a safety critical system.
It has the potential for devatating explosions due to boiler overpressure, or
ignition of an explosive mixture, and, because of the large amounts of fuel used,
is a potential fire hazard. They are often left running unattended 24/7.
To add to these problems
Operators are often under pressure to keep them running. An boiler supplying
heat to a large greenhouse complex could ruin crops
should it go off-line. Similarly a production line relying on heat or steam
can be very expensive in production down-time should it fail.
This places extra responsibility on the burner controller.
These are common place and account for a very large proportion of the enery usage
in the world today (find and ref stats)
Industrial burners are common enough to have different specific standards
written for the fuel types they usei \ref{EN298} \ref{EN230} \ref{EN12067}.
A modern industrial burner has mechanical, electronic and software
elements, that are all safety critical. That is to say
unhandled failures could create dangerous faults.
To add to these problems
Operators are often under pressure to keep them running. An boiler supplying
heat to a large greenhouse complex could ruin crops
should it go off-line. Similarly a production line relying on heat or steam
can be very expensive in production down-time should it fail.
This places extra responsibility on the burner controller.
These are common place and account for a very large proportion of the enery usage
in the world today (find and ref stats)
Industrial burners are common enough to have different specific standards
written for the fuel types they usei \ref{EN298} \ref{EN230} \ref{EN12067}.
A modern industrial burner has mechanical, electronic and software
elements, that are all safety critical. That is to say
unhandled failures could create dangerous faults.
A more detailed description of industrial burner controllers
is dealt with in chapter~\ref{burnercontroller}.
\subsection{Mechanical components}
describe the mechanical parts - gas valves damper s
electronic and software
give a diagram of how it all fits A
together with a
\subsection{electronic Components}
\subsection{Software/Firmware Components}
\subsection{A high level Fault Hierarchy for an Industrial Burner}
This section shows the component level, leading up higher and higher in the abstraction level
to the software levels and finally a top level abstract level. If the system has been
designed correctly no `undetected faults' should be present here.
\section{An Outline of the FMMD Technique}
The methodology takes a bottom up approach to
the design of an integrated system.
Each component is assigned a well defined set of failure modes.
The components are formed into modules, or functional groups.
These functional groups are analysed with respect to the failure modes of the
components. The `functional group' or module will have a set of derived
failure modes. The number of derived failure modes will be
less than or equal to the sum of the failure modes of all its components.
A `derived' set of failure modes, is at a higher abstraction level.
derived modules may now be used as building blocks, to model the system at
ever higher levels of abstraction until the top level is reached.
Any unhandled faults will appear at this top level and will be `un-resolved'.
A formal description of this process is dealt with in Chapter \ref{fmmddefinition}.
%This principally focuses
%on simple control systems for maintaining temperature
%and for industrial burners. It is hoped that a general mathematical
%framework is created that can be applied to other fields of safety critical engineering.
Automated systems, as opposed to manual ones are now the norm
in the home and in industry.
Automated systems have long been recognised as being more effecient and
more accurate than a human opperator, and the reason for automating a process
can now be more likely to be cost savings due to better effeciency
thatn a human operator \ref{burnereffency}.
For instance
early automated systems were mechanical, with cams and levers simulating
fuel air mixture profile curves over the firing range.
Because fuels vary slightly in calorific value, and air density changes with the weather, no optimal tuning can be optional.
In fact for asethtic reasons (not wanting smoke to appear at the flue)
the tuning was often air rich, causing air to be heated and
uneccessarily passed through the burner, leading to direct loss of energy.
An automated system analysing the combustions gasses and automatically
adjusting the fuel air mix can get the effeciencies very close to theoretical levels.
As the automation takes over more and more functions from the human operator it also takes on more responsibility.
A classic example of an automated system failing, is the therac-25.
This was an X-ray dosage machine, that, due to software errors
caused the deaths of several patients and injured more during the 1980's.
% http://en.wikipedia.org/wiki/Autopilot
To take an example of an Autopilot, simple early autopilots, were (i.e. they
prevented the aircraft staying from a compass bearing and kept it flying striaght and level).
Were they to fail the pilot would notice quite quickly
and resume manual control of the bearing.
Modern autopilots control all aspects of flight including the engines, and take off and landing phases.
The automated system does not have the
common sense of a human pilot either, if fed the wrong sensory information
it could make horrendous mistakes. This means that simply reading sensors and applying control
corrections cannot be enough.
Checking for error conditions must also be incorporated.
It could also develop an internal fault, and must be able to cope with this.
Systems such as industrial burners have been partially automated for some time.
A mechanical cam arrangement controls the flow of air and fuel for the range of
firing rate (output of the boiler).
These mechanical systems could suffer failures (such as a mechanical linkage beoming
detached) and could then operate in a potentially dangerous state.
More modern burner controllers use a safety critical computer controlling
motors to operate the fuel and air mixture and to control the safety
valves.
In working in the industrial burner industry and submitting product for
North American and European safety approval, it was apparent that
formal techniques could be applied to aspects of the ciruit design.
Some safety critical circuitry would be subjected to thought experiments, where
the actions of one or more components failing would be examined.
As a simple example a milli-volt input could become disconnected.
A milli-volt input is typically amplified so that its range matches that
of the A->D converter that you are reading. were this signal source to become disconnected
the systems would see a floating, amplified signal.
A high impedance safety resistor can be added to the circuit,
to pull the signal high (or out of nornal range) upon disconnection.
The system then knows that a fault has occurred and will not use
that sensor reading (see \ref{fig:millivolt}).
\begin{figure}
\vskip 7cm
\special{psfile=introduction/millivoltsensor.ps hoffset=0 voffset=0 hscale=35 vscale=35 }\caption[Milli-Volt Sensor with safety resistor]{
Milli-Volt Sensor with safety resistor
\label{fig:millivolt}}
\end{figure}
For exmaple, if the sensor supplies a range of 0 to 40mV, and RG1 and RG2 are such that the op-amp supplies a gain of 100
any signal between 0 and 4 volts on the ADC will be considered in range. Should the sensor become disconnected the
opamp will supply its maximum voltage, telling the system the sensor reading is invalid.
This introduces a level of self checking into the system.
We need to be able to react to not only errors in the process its self,
but also validate and look for internal errors in the control system.
This leads on to an important concept of three main states of a safety critical system.
% To improve productivity, performance, and cost-effectiveness, we are developing more and more safety-critical systems that are under computer control. And centralized computer control is enabling many safety-critical systems (e.g., chemical and pesticide factories) to grow in size, complexity, and potential for catastrophic failure.
% We use software to control our factories and refineries as well as power generation and distribution. We also use software in our transportation systems including airplanes, trains, ships, subways, and even in our family automobiles. Software is also a major component of many medical systems in which safe functioning is critical to the safety of patients and operators alike. Even when the software does not directly control safety-critical hardware, software can provide operators and users with safety-critical data with which they must make safety-critical decisions (e.g., air traffic control or medical information such as blood bank records, organ donor information, and patient medical records). As we have come to rely more on software-intensive systems, we have come to rely more on those systems functioning safely.
% Many accidents are caused by problems with system and software requirements, and “empirical evidence seems to validate the commonly stated hypothesis that the majority of safety problems arise from software requirements and not coding errors” [Leveson1995]. Major accidents often result from rare hazards, whereby a hazard is a combination of conditions that increases the likelihood of accidents causing harm to valuable assets (e.g., people, property, and/or the environment). Most requirements specifications are incomplete in that they do not specify requirements to eliminate these rare hazards or mitigate their consequences. Requirements specifications are also typically incomplete in that they do not specify what needs to happen in exceptional “rainy day” situations or as a response to each possible event in each possible system state although accidents are often caused by the incorrect handling of rare combinations of events and states that were considered to be either impossible or too unlikely to worry about, and were therefore never specified. Even when requirements have been specified for such rare combinations of events and conditions, they may well be ambiguous (an unfortunately common characteristic of requirements in practice), partially incomplete (missing assumptions obvious only to subject matter experts), or incorrect, or inconsistently implemented. Thus, the associated hazards are not eliminated or the resulting harm is not properly mitigated when the associated accidents occur. Ultimately, safety related requirements are important requirements that need to be better engineered.
% The goal of this column is to define safety requirements and clarify how they differ from safety constraints and from functional, data, and interface requirements that happen to be safety critical. I start by defining safety in terms of a powerful quality model and show how quality requirements (including safety requirements) can be specified in terms of the components of this quality model. I will then show how to use the quality model to specify safety requirements. Then, I will define and discuss safety constraints and safety-critical requirements. Finally, I will pose a set of questions regarding the engineering of these three kinds of safety-related requirements for future research and experience to answer.
Safety critical systems in the context of this study, means that a safety critical system may be said to be in three distinct
overall states.
Operating normally, operating in a lockout mode with a detected fault, and operating
dangerously with an undetected fault.
The main role of the system designers of safety critical equipment should be to eliminate the possibility of this last condition.
% Software plays a critical role in almost every aspect facet of our daily lives - from , to driving our cars, to working in our offices.
% Some of these systems are safety-critical.
% Failure of software could cause catastrophic consequences for human life.
% Imagine the antilock brake system (ABS) in your car.
% A software failure here could render the ABS inoperable at a time when you need it most.
% For these types of safety-critical systems, having guidelines that define processes and
% objectives for the creation of software that focus on software quality, or the ability
% to use software that has been developed under this scrutiny, has tremendous value
% for developers of safety-critical systems.
\section{Motivation for developing a formal methodology}
A feature of many safety critical systems specifications,
including EN298, EN230 \cite{EN298} \cite{EN230}
is to demand,
at the very least that single failures of hardware
or software cannot
create an unsafe condition in operational plant. Further to this
a second fault introduced, must not cause an unsafe state, due
to the combation of both faults.
\vskip 0.3cm
This sounds like an entirely reasonable requirement. But to rigorously
check the effect a particular component fault has on the system,
we could check its effect on all other components.
Should a diode in the powersupply fail in a particular way, by perhaps
introducing a ripple voltage, we should have to look at all components
in the system to see how they will be affected.
%However consider a typical
%small system with perhaps 1000 components each
%with an average of say 5 failure modes.
Thus, to ensure complete coverage, each of the effects of
the failure modes must be applied
to all the other components.
Each component must be checked against the
failure modes of all other components in the system.
Mathematically with components as 'c' and failure modes as 'Fm'.
\equation
\label{crossprodsingle}
checks = \{ \; (Fm,c) \; \mid \; \stackrel{\wedge}{c} \; \neq \; c \}
\endequation
Where demands
are made for resilience against two
simultaneous failures this effectively squares the number of checks to make.
\equation
\label{crossproddouble}
doublechecks = \{ \; (Fm_{1},Fm_{2},c) \; \mid \\ \; c_{1} \; \neq \; c_{2} \; \wedge \; Fm_{1} \neq Fm_{2} \; \}
\endequation
If we consider a system which has a total of
$N$ failure modes (see equation \ref{crossprodsingle}) this would mean checking a maximum of
\equation
NumberOfChecks = \frac{N ( N-1 )}{2}
\endequation
for individual component failures and their effects on other components when they fail.
For a very small system with say 1000 failure modes this would demand a potential of 500,000
checks for any automated checking process.
\vskip 0.3cm
European legislation\cite{EN298} directs that a system must be able to react to two component failures
and not go into a dangerous state.
\vskip 0.3cm
This raises an interesting problem from the point of view of formal modelling. Here we have a binary cross product of all components
(see equation \ref{crossproddouble}).
This increases the number of checks greatly. Given that the binary cross product is $ (N^{2} - N)/2 $ and has to be checked against the remaining
$(N-2)$ components.
\equation
\label{numberofchecks}
NumberOfchecks = \frac{(N^{2} - N) ( N - 2)}{2}
\endequation
Thus for a 1000 failure mode system, roughly a half billion possible checks would be required for the double simultaneous failure scenario. This astonomical number of potential combinations, has made formal analysis of this
type of system, up until now, impractical. Fault simulators %\cite{sim}
are commonly used for the gas certification process. Thus to
manually check this number of combinations of faults is in practise impossible.
A technique of modularising, or breaking down the problem is clearly necessary.
\section{Challenger Disaster}
One question that anyone developing a safety critical analysis design tool
could do well to answer, is how the methodology would cope with known previous disasters.
The Challenger disaster is a good example, and was well documented and invistigated.
The problem lay in a seal that had an operating temperature range.
On the day of the launch the temperature of this seal was out of range.
A bottom up safety approach would have revealed this as a fault.
\section{Problems with Natural Language}
Written natural language desciptions can not only be ambiguous or easy to misinterpret, it
is also not possible to apply mathematical checking to them.
A mathematical model on the other hand can be checked for
obvious faults, such as tautologies and contradictions, but also
intermediate results can be extracted and these checked.
Mathematical modeling of systems is not new, the Z language
has been used to model systems\cite{ince}. However this is not widely
understood or studied even in engineering and scientific circles.
Graphical techniques for representing the mathematics for
specifying systems, developed at Brighton and Kent university
have been used and extended by this author to create a methodology
for modelling complex safety critical systems, using diagrams.
This project uses a modified form of euler diagram used to represent propositional logic.
%The propositional logic is used to analyse system components.
\section{Ideal System Designers world}
Imagaine a world where, when ordering a component, or even a complex module
like a a failsafe sensor/scientific instrunment, one page of the datasheet
is the failure modes of the system. All possible ways in which the component can fail
and how it will react when it does.
\subsection{Environmentally determined failures}
Some systems and components are guaranteed to work within certain environmental constraints,
temperature being the most typical. Very often what happens to the system outside that range is not defined.
Where this is the case, these are undetectable errors.
\section{Project Goals}
\begin{itemize}
\item To create a user friendly formal common visual notation to represent fault modes
in Software, Electronic and Mechanical sub-systems.
\item To formally define this visual language.
\item To prove that tehe modules may be combined into hierarchies that
truly represent the fault handling from component level to the
highest abstract system 'top level'.
\item To reduce to complexity of fault mode checking, by modularising and
building complexity reducing hierarchies.
\item To formally define the hierarchies and procedure for bulding them.
\item To produce a software tool to aid in the drawing of diagrams and
ensuring that all fault modes are addressed.
\item To allow the possiblility of MTTF calculation for statistical
reliability/safety calculations.
\end{itemize}
% fuckin\end{document}

779
logic_diagram/logic_diagram.tex~
View File

@ -1,779 +0,0 @@
\begin{abstract}
%This chapter describes using diagrams to represent propositional logic.
Propositial Logic Diagrams have been designed to provide an intuitive method for visualising and manipulating
logic equations, to express fault modes in Mechanical and Electronic Systems.
%To aid hierarchical stages of fault analysis, it has been specifically developed for the purpose of
%joining conjunctive conditions with disjuctive conditions
%to group the effects of failure modes.
Diagrams of this type can also be used to model the logical conditions
that control the flow of a computer program. This type of diagram can therefore
integrate logical models from mechanical, electronic and software domains.
Nearly all modern safety critical systems involve these three disiplines.
%
It is intended to be used for analysis of automated safety critical systen
Many types of safety critical systems now legally
require fault mode effects analysis\cite{FMEA},
but few formal systems exist and wide-spread take-up is
not yet the norm.\cite{takeup}.
%
Because of its visual nature, it is easy to manipulate and model
complicated conditions that can lead to dangerous failures in
automated systems.
% No need to talk about abstraction yet, just define PLD PROPERLY
The Diagrams described here form the mathematical basis for a new visual and formal system
for the analysis of safety critical software and hardware systems.
\end{abstract}
%\title{Propositional Logic Diagrams}
%\begin{keyword}
% fault~tree fault~mode EN298 EN61508 EN12067 EN230 UL1998 safety~critical logic euler venn propositional
%\end{keyword}
%\end{frontmatter}
% In software looking at one condition means lots of dont care situations
% in static analysis we look at given sub-sets of faults and assume the other faults
% are not active.
% This is a major cultural difference !
% it deserves a whole chapter.
\section{Introduction}
Propositional Logic Diagrams (PLDs) have been devised
to collect and simplfy fault~modes in safety critical systems undergoing
static analysis\cite{FMEA}\cite{SIL}.
This type of analysis treats failure modes within a system as logical
states. PLD provides a visual method for modelling failure~mode analysis
within these systems, and specifically
identifying common failure symptoms in a user friendly way.
Contrasting this to looking at many propositional logic equations directly
in a text editor or spreadsheet, a visual method is percieved as being more intuitive.
%Traditional set theory is often represented by Euler\cite{euler} or Spider\cite{spider}
%diagrams. These use contours to describe inclusion in a set.may be merged and create a
%Propositional Logic Diagrams (PLDs) use named contours represent a logical conditions.
%Where an Euler diagram would use
%overlapping contours to represent inclusion in sets,
%PLDs use these to represent conjunction of the conditions.
%Named reference points may be placed onto the diagram,
%these represent test cases for conjunction.
%These can be joined by lines to apply disjunction.
%In a spider diagram the lines would represent that the object represented coul;d belong to either set.
%in a PLD it means that the logical conditions represent disjuction; a boolean OR condition.
%these points may be joined.
PLDs use three visual features that
can be combined to represent logic equations. Closed contours, test cases, and lines that
link test cases.
All features may be labelled, and the labels must be unique within a diagram, however contours may be repeated in the diagram.
%Aditionally a label begining with the `$\neg$' character, applied only to a contour, represents negation.
%Regions defined by contours are used to represent given conjunctive logical conditions.
Test cases are marked by asterisks. These are used as a visual `anchor'
to mark a logical condition, the logical condition being defined by the contours
that enclose the region on which the test~case has been placed.
The contours that enclose represent conjuction.
Test~cases may be connected by joining lines. These lines represent disjunction (Boolean `OR') of
test~cases.
With these three visual syntax elements, we have the basic building blocks for all logic equations possible.
\begin{description}
\item Test cases - Points on the plane indicating a logical condition.
\item Conjunction - Overlapping contours
\item Disjunction - Joining of named test cases.
%\item Negation - Countours negatively named
\end{description}
% Because of this
% we have the complete suite of logical primitives here, conjunction, disjuction and negation.
% Form these complex logic equations can be respresented in 2D.
% Another advantage of this is being able to describe `don't care' conditions.
% Very often in digital hardware design, or in a computer program
% many logical conditions are `don't care'.
% These are difficult to specify in set theory.
\section{Formal Description of PLD}
Definitions of conrete and abstract PLD's follow.
Well-formedness conditions for PLD's are separated from this definition, because of
practical differences between the way they are used to represent software as opposed to
representing electronics and mechanical systems.
\subsection{Concrete PLD Definition}
A concrete {\em Propositional logic diagram} is a set of labeled {\em contours}
(closed curves) in the plane. The minimal regions formed by the closed curves
can by occupied by `test points'.
The `test points' may be joined by joining lines.
A group of `test points' connected by joining lines
is defined as a `test point disjunction' or Spider.
Spiders may be labeled.
To differentiate these from common Euler diagram notation (normally used to represent set theory)
the curves are drawn using dotted and dashed lines.
\subsection{ PLD Definition}
In English:
The elements that can be found in a PLD diagram are a number of contours,
a number of test points and joining lines that connect
test points.
{
\definition{A concrete PLD $d$ is a set comprising of a set of
closed curves $C=C(d)$, a set of test points $T=T(d)$ and
a set of test point joining lines $J=J(d)$.
$$d=\{C,T,J\}$$
}
}
In English:
Each element of the diagram has a unique label within the diagram.
%Thus the set of labels found in a diagram is
%a subset of the powerset of characters that can be present in a label.
%{
%\definition{ $ \mathcal{F}_{d}:C(d) \rightarrow \mathcal{P}\Lambda$ is a
%function associating a label drawn from an infinite
%set of labels $\Lambda$.
%}
%}
%In English:
%A minimal region of a PLD diagram d is a
%region bounded by curves.
%connected component of $\mathbb{R}^{2} - \; \bigcup_{c \in C(d)} c$
%That is to say the complement of all other regions is subtracted from the plane.
%- Or in another way- that smallest area defined by the curves that enclose it
%% \hat is used to indicate CONCRETE
{
\definition{
A minimal region of concrete PLD diagram d is a connected component of
$$ \mathbb{R}^{2} - \; \bigcup_{\hat{c} \in \hat{C}(\hat{d})}\hat{c}$$
% I.e. The contours break the connectivity
}
}
{
\definition
{
Let d be a PLD and $ \mathcal{X} \subseteq \hat{C}(\hat{d})$ a set of countours.
If the set
$$ \hat{z} = \bigcap_{c \in \mathcal{X}}
{interior}
(\hat{c})
\; \cup \;
\bigcap_{\hat{c} \in \hat{C}-X}
exterior (\hat{c})
$$
is non empty, then $\hat{z}$ is a concrete zone of $\hat{d}$. A zone is a union of minimal regions. The set of all concrete zones of $\hat{d}$
is denoted $ \hat{\mathcal{Z}} $.
% NOT interested in labelling the zones.
% but am interested in
%The set of labels associated with the contours in $\mathcal{X}$ is the zone label set $\hat{\mathcal{Z}}(\hat{z})$
%of $\hat{z}$.
%$$ \hat{\mathcal{L}}(\hat{z}) = \bigcup_{\hat{c} \in \mathcal{X}} \mathcal{F}_{d}(\hat{c}) $$
%
% So Z is the set of all available for use ZONES; great !
}
}
Each minimal region in the plane may be inhabited by one or more `test points'.
% One or more because in software the same logical conditions mean existing in the same
% region. For electroincs or mechanical, one test point per region is
% mandatory. How to describe ?????
Each test point can be associated with the set of contours that enclose it.
%defined the minimal region it inhabits.
{
\definition{ $ \mathcal{Z}_{d}:T(d)\rightarrow \mathcal{C}$ is a function
associating a testpoint with a set of contours in the plane. This corresponds to the interior of the contours defining the zone.
}
}
Pairs of test points may be joined by joining lines.
The operator $\stackrel{join}{\leftrightarrow}$ is used to
show that two points are joined by a line in the concrete diagram.
{
\definition{
$ \mathcal{F}_{j}$ is a function
associating a joining line with a pair of test points. The Join t1,t2 is defined as
%$$ \mathcal{F}_{d}:J(d)\rightarrow \{t1,t2\ | t1 \in T(d) \wedge t2 \in T(d) \wedge t1 \neq t2 %\wedge t1 \stackrel{join}{\leftrightarrow} t2\} $$
$$ \mathcal{F}_{d}:J(d)\rightarrow \{t1,t2\ | t1 \in T(d) \wedge t2 \in T(d) \wedge t1 \neq t2 \} $$
}
}
In English:
Test points on the concrete diagram pair-wise connected by a `joining line'
A collection of test points connected by joining lines, is an Fuctionally Merged Group, $FMG$
or `test point disjunction'.
An $FMG$ has members which are test points.
{may be merged
and create a
\definition{
%A spider is a set of test points where,
%a test point is a member of a spider where it can trace a path connected by joining lines
%to another member of the spider. A singleton test point can be considered a spider.
Let d be a PLD : An $FMG$ is a maximal set of test points in d where
the test points belong to a sequence connected by joining lines such that:
$$ t_i \stackrel{join}{\leftrightarrow} t_n, for \; i = 1, ..., n $$
OR consider an $FMG$ as a tree whose nodes are test points.
}
}
A singleton test point can be considered a sequence of one test point and is therefore also an $FMG$.
% \subsection{Abstract Description of PLD}
%
% An Abstract PLD {\em Propositional logic diagram} consists of contours $C$ defining zones $Z$, test points $T$ (which
% are defined by the zone they inhabit) and pair wise connections $W$, which connect test points.
% Collections of test points, linked by shared conecting lines, form a set of test point groups $G$.
%
% A Zone defined by the contours that enclose it in the concrete diagram.
%
% $$ Z \subseteq C $$
%
% A test point $t \in T$ in habits a zone on the diagram.
%
% $$ \eta(t) = Z $$
%
% A joining line $$ w \in W $$ joins test points.
%
% $$ w = t1 \stackrel{join}{\rightarrow} t2 | t1 \neq t2 \wedge t1 \in T \wedge t2 \in T $$
%
% A test point group $g \in G$ is defined by test points linked by shared connecting lines.
\subsection{Semantics of PLD}
\begin{itemize}
\item A closed curve in a PLD represents a condition (logical state) being modelled.
\item A test point represents the conjunction of the conditions represented by the curves that enclose it.
\item A $FMG$ represents the disjunction of all test points that are members of it.
\end{itemize}
To obtain the set of propositions from a PLD, each $FMG$ must be processed. For each test case
in the $FMG$ a new section of the equation is disjuctively appended to it.
Let conjunctive logic equation associated with a test point
be determined from the contours that enclose it.
i.e. the contours $\mathcal{X}$ from the zone it inhabits.
{
\definition{
Let $\mathcal{F}_{t}$ be a function mapping a test point to a proposition / logical equation $p \in P$.
The test point inhabits the zone $\mathcal{Z}$ which is a collection of contours (the contours that enclose the test point.
$$ \mathcal{F}:T \rightarrow P $$
%$$ \mathcal{F}(t): p = \bigwedge_{c \in \mathcal{Z}} \Lambda c $$
$$ \mathcal{F}(t): p = \bigwedge_{c \in \mathcal{Z}} c $$
}
}
In English:
Thus a `test point' enclosed by contours labelled $a,b,c$ would be represented by the logic equation
$ a \wedge b \wedge c $.
{
\definition{
Let $\mathcal{G}_{fmg}$ be a function that returns a logic equation for a given $FMG$
$fmg$ in the diagram, where an FMG is a non empty set of test points
% $t$ is a `test point'
$$ \mathcal{G}:FMG \rightarrow P_{fmg} $$
The logic equation representing an FMG $p_{fmg}$ can be determined thus.
$$\mathcal{G}_{fmg}(fmg) = \bigvee_{t \in fmg} (\; \mathcal{F}_{t} (t) \;) $$
}
}
The abstract PLD diagram is a set of logic equations representing all FMGs,
along with unused zones (i.e. zones that are not inhabited by FMGs).
{
\definition{
\label{FMGderivation}
A diagram can be reduced to a collection of $FMG$s.
A new diagram can be derived from this, replacing a contour for each FMG.
This diagram is at one higher level of abstraction then the diagram that
it was produced from.
}
}
\section{Example Diagrams}
\subsection {How to read a PLD diagram}
PLD diagrams are read by first looking at the test case points.
The test case asterisk will be enclosed by one or more contours.
These contours are collected and form the logical conjunction
equation for the test case.
These test case points thus represent the conjunctive aspects
of an equation defined in a PLD. Where these test cases are joined by lines;
these represent disjunction of the conjunctive aspects defined by the test cases.
Joining lines thus represent dis-junction in a PLD.
%Where negation and assertion of a logical condition is required in the same diagram, a separate contour can be created, which is
%..assigned the same name as its positive counter part, but preceded by a negation `$\neg$' sign.
%Obviously were a drawing to show conjunction of a contour and its complement
%this would result in a contradiction for any test case placed on it, and would be a visual `syntax error'.
%Note that negation is handled explicitly. This is to allow `don't care'
%conditions. Should a test case be outside a contour, that contour is a `don't care' condition.
%In a PLD, contours may be represented in complement, to provide
%logical negation. Here the contour name is begun with the negation symbol `$\neg$'.
%%To represent conjunction of logical conditions (Boolean `AND'), contours may be overlapped.
%Providing explicit negation, in addition to disjunction and conjunction
%allows us to represent `don't care' or `tri-state' logical conditions. Simply by
%not using the conditions we are not interested in they are `don't care'.
%
%\section{Example Logic Diagrams}
\subsection{ Logical AND example }
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 279 247]{logic_diagram/ldand.jpg}
% ldand.jpg: 279x247 pixel, 72dpi, 9.84x8.71 cm, bb=0 0 279 247
\label{fig:ld_and}
\end{figure}
% \begin{figure}[h+]
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{logic_diagram/ldand.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
%
% %\includegraphics[scale=0.6]{ldand.eps}
% \caption{Logical AND}
% \label{fig:ld_and}
% \end{figure}
In the diagram \ref{fig:ld_and} the area of intersection between the contours $a$ and $b$
represents the conjunction of those conditions. The point $P$ represents the logic equation
$$ P = (a \wedge b) $$
There are no disjunctive joining lines and so this diagram represents one equation only, $ P = (a \wedge b) $.
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, this could be considered to be a sub-system with two failure states $a$ and $b$.
The proposition $P$ considers the scenario where both failure~modes are active.
\clearpage
\subsection { Logical OR example }
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 476 264]{logic_diagram/ldor.jpg}
% ldor.jpg: 476x264 pixel, 72dpi, 16.79x9.31 cm, bb=0 0 476 264
\label{fig:ld_or}
\end{figure}
% \begin{figure}[h+]
% %\centering
% %\input{ldor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{logic_diagram/ldor.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.60]{ldor.eps}
% \caption{Logical OR}
% \label{fig:ld_or}
% \end{figure} % OR
The diagram \ref{fig:ld_or} is converted to Boolean logic by first looking at the test cases, and
the contours they are placed on.
$$ P = (a) $$
$$ Q = (b) $$
The two test cases are joined by a the line named $R$.
we thus apply disjunction to the test cases.
$$ R = P \vee Q $$
substituting the test cases for their Boolean logic equations gives
$$ R = ((a) \vee (b)) $$.
\clearpage
\subsection {Labels and useage}
In diagram \ref{fig:ld_meq} Z and W were labeled but were not necessary for the final expression
of $ R = b \vee c $. The intended use of these diagrams, is that resultant logical conditions be used in a later stage of reasoning.
Test cases joined by disjunction, all become represented in one, resultant equation.
Therefore only test cases not linked by any disjunctive joining lines need be named.
The diagram \ref{fig:ld_meq} can therefore be represented as in diagram \ref{fig:ld_meq2}, with
two unnamed test cases.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 572 297,scale=0.7,keepaspectratio=true]{./ldmeq2.jpg}
% ldmeq2.jpg: 572x297 pixel, 72dpi, 20.18x10.48 cm, bb=0 0 572 297
\label{fig:ld_meq2}
\end{figure}
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0pt 0pt 600pt 600pt]{logic_diagram/ldmeq2.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldmeq2.eps}
% \caption{Several Logical Expressions with unamed test cases}
% \label{fig:ld_meq2}
% \end{figure}
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, this could be considered to be a sub-system with two failure states $a$ and $b$.
The proposition $P$ considers the scenario where either failure~mode is active.
Additionally it says that either failure mode $a$ or $b$ being active
will have a resultant effect $R$ on the sub-system. Note that the effect
of $a$ and $b$ both being active is not defined on this diagram.
\clearpage
\subsection { Repeated Contour example }
Repeated contours are allowed in PLD diagrams.
Logical contradictions or tautologies can be detected automatically by
a software tool which assists in drawing these diagrams.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 485 206]{logic_diagram/repeated.jpg}
% repeated.jpg: 539x229 pixel, 80dpi, 17.11x7.27 cm, bb=0 0 485 206
\label{fig:repeat}
\end{figure}
% \begin{figure}[h]
% \centering
% \includegraphics[bb=0 0 486 206]{./repeated.jpg}
% % repeated.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 486 206
% \label{fig:repeated}
% \end{figure}
The diagram \ref{fig:repeat} is converted to Boolean logic by first looking at the test cases, and
the contours they are placed on.
$$ P = (b) $$
$$ Q = (a) \wedge (c) $$
The two test cases are joined by a the line named $R1$.
we thus apply disjunction to the test cases.
$$ R1 = P \vee Q $$
$$ R1 = b \vee ( a \wedge c ) $$.
$R2$ joins two other test cases
$$R2 = a \vee c $$
The test~case residing in the intersection of countours $B$ and $A$
represents the logic equation $R3 = a \wedge b$.
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, $R2$ is the symptom of either failure~mode $A$ or $C$
occurring. $R1$ is the symptom of $B$ or $A \wedge C$ occurring.
There is an additional symptom, that of the test case in $A \wedge B$.
\clearpage
\subsection { Inhibit Failure }
Very often a failure mode can only occurr
given a searate environmental condition.
In Fault Tree Analysis (FTA) this is represented by an inhibit gate.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 364 227]{logic_diagram/inhibit.jpg}
% inhibit.jpg: 404x252 pixel, 80dpi, 12.83x8.00 cm, bb=0 0 364 227
\label{fig:inhibit}
\end{figure}
%
% \begin{figure}[h]
% \centering
% \includegraphics[bb=0 0 364 228]{./inhibit.jpg}
% % inhibit.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 364 228
% \label{fig:inhibit}
% \end{figure}
The diagram \ref{fig:inhibit} has a test case in the contour $C$.
Contour $C$ is enclosed by contour $A$. This says
that for failure~mode $C$ to occur failure mode $A$
must have occurred.
A well known example of this is the space shuttle `O' ring failure that
caused the 1986 challenger disaster \cite{wdycwopt}.
For the failure mode to occurr the ambiant temperature had to
be below a critical value.
If we take the failure mode of the `O' ring to be $C$
and the temperature below critical to be $A$, we can see that
the low temperature failure~mode $C$ can only occurr if $A$ is true.
The `O' ring could fail in a different way independant of the critical temperature and this is
represented, for the sake of this example, by contour $D$.
In terms of propositional logic, the inhibit gate of FTA, and the countour enclosure
of PLD represent {\em implication}.
\\
% \tiny
\vspace{0.3cm}
\begin{tabular}{||c|c|c|c||} \hline \hline
{\em $c$ } & {\em $a$ } & {\em $R1$ } \\ \hline
F & F & T \\ \hline
F & T & T \\ \hline
T & F & F \\ \hline
T & T & T \\ \hline \hline
\end{tabular}
\vspace{0.3cm}
% \normalsize
$$ R1 = c \implies a $$
$$ R2 = a $$
$$ R3 = d $$
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, $R2$ is the symptom of either failure~mode $A$ or $C$
occurring. $R1$ is the symptom of $B$ or $A \wedge C$ occurring.
Note that although R2 is a symptom of the sub-system, on its own
it will not lead to a dangerous failure~mode of the subsystem.
% \subsection { Representing Logical Negation }
%
% \begin{figure}[h+]
% %\centering
% %\input{ldor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{logic_diagram/ldneg.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.60]{ldneg.eps}
% \caption{Logical Negation}
% \label{fig:ld_neg}
% \end{figure} % OR
%
% Diagram \ref{fig:ld_neg} represents the logical equation $$ P = a \wedge b \wedge \neg c $$.
%
% \paragraph{How this would be interpreted in failure analysis}
% In failure analysis this test case represents the scenario where failure modes $a$ and $b$
% are active but $c$ is not.
%
%
%
% \clearpage
% \subsection { Logical XOR example }
%
% An exclusive or condition is represented by diagram \ref{fig:ld_xor}.
% The Equations represented are as follows.
%
% firstly looking at the test case points
% $$ P = (\neg a \wedge b) $$
% $$ Q = (\neg b \wedge a) $$
%
% now joining them with the disjuctive line
% $$ R = P \vee Q $$
%
% Giving R as a Boolean equation
% $$ R = (\neg a \wedge b) \vee (\neg b \wedge a) $$
% or taking the symbol $\oplus$ to mean exclusive-or
% $$R = a \oplus b $$
%
%
% % \begin{figure}[h] %% SOMETHING IS WRONG says latex. very helpful tell me what it fucking is then
% % \centering
% % \caption{Example `XOR' Diagram}
% % \includegraphics[scale=0.80]{ldxor.eps}
% % \label{fig:ld_xor}
% % \end{figure} % XOR
%
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% % bb= llx lly urx ury;
% \includegraphics[width=200pt,bb=0pt 0pt 800pt 800pt]{logic_diagram/ldxor.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
%
% %\includegraphics[scale=0.4]{ldxor.eps}
% \caption{Logical XOR}
% \label{fig:ld_xor}
% \end{figure}
%
% \clearpage
% \subsection { Logical IMPLICATION example }
%
%
% An implication $a \rightarrow b$ is represented by diagram \ref{fig:ld_imp}.
% The Equations represented are as follows.
%
% Looking at the conjuctive environment of the test cases
% $$P = (\neg a)$$
% $$Q = (b)$$
% From the joining `disjunctive' line R in the diagram.
% $$R = P \vee Q$$
% Leading to
% $$R = (\neg a) \vee (b)$$
% which is the standard logic equation for implication.
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{logic_diagram/ldimp.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldimp.eps}
% \caption{Logical Implication}
% \label{fig:ld_imp}
% \end{figure}
%
% \tiny
% %\vspace{0.3cm}
% \begin{tabular}{||c|c|c|c||} \hline \hline
%
% {\em $a$ } & {\em $b$ } & {implication \em $(\neg a) \vee (b) $ } \\ \hline
% F & F & T \\ \hline
% F & T & T \\ \hline
% T & F & F \\ \hline
% T & T & T \\ \hline \hline
% \end{tabular}
% %\vspace{0.3cm}
% \normalsize
%
% \clearpage
% \subsection { Diagram representing several Logic Equations Example }
%
%
% bb=0 0 450 404
%
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0pt 0pt 600pt 600pt]{logic_diagram/ldmeq.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldmeq.eps}
% \caption{Several Logical Expressions}
% \label{fig:ld_meq}
% \end{figure}
%
% %The effect of using explicit negation, means that a test case being outside a given contour does not imply negation, it implies a `don't care'
% %condition.
%
% Three simple equations are represented in the diagram \ref{fig:ld_dc}.
%
% %The Set of contours $\mho$ represent the `don't care' conditions.
%
% The Equations represented are as follows.
%
% %$$ Q = a \; | \; \mho\{b,c\} $$
%
% %$$ P = b \wedge c \; | \; \mho\{a\} $$
%
% $$ Q = a $$
% $$ P = b \wedge c $$
% $$ R = b \vee c $$
%
% % XXXXXX gives annoying impossible to understand syntax messages
% %\small
% %\bibliography{vmgbibliography,mybib}
% %\bibliography{vmgbibliography}
% %\normalsize
%
\section{Intended use in FMMD}
The intention for these diagrams is that they are used to collect
component faults and combinations thereof, into faults that,
at the module level have the same symptoms.
\subsection{Example Sub-system}
For instance were a `power supply' being analysed there could be several
individual component faults or combinations that lead to
a situation where there is no power. This can be described as a state
of the powersupply being modeelled as NO\_POWER.
These can all be collected by DISJUCNTION, i.e. that this this or this
fault occuring will cause the NO\_POWER fault. Visually this disjuction is
indicated by the joining lines.
As far as the user of the `power supply' is concerned, the power supply has failed
with the failure mode $NO\_POWER$.
The `power supply' module, after this process will have a defined set of
fault modes and may be considered as a component at a higher
level of abstraction. This module can then be combined
with others at the same abstraction level.
Note that because this is a fault collection process
the number of component faults for a module
must be less than or equal to the sum of the number of component faults.
%Typeset in \ \ {\huge \LaTeX} \ \ on \ \ \today
\begin{verbatim}
CVS Revision Identity $Id: logic_diagram.tex,v 1.17 2010/01/06 13:41:32 robin Exp $
\end{verbatim}
Compiled last \today
%\end{document}
%\theend

779
logic_diagram/logic_diagram_paper.tex
View File

@ -1,779 +0,0 @@
\begin{abstract}
%This chapter describes using diagrams to represent propositional logic.
Propositial Logic Diagrams have been designed to provide an intuitive method for visualising and manipulating
logic equations, to express fault modes in Mechanical and Electronic Systems.
%To aid hierarchical stages of fault analysis, it has been specifically developed for the purpose of
%joining conjunctive conditions with disjuctive conditions
%to group the effects of failure modes.
Diagrams of this type can also be used to model the logical conditions
that control the flow of a computer program. This type of diagram can therefore
integrate logical models from mechanical, electronic and software domains.
Nearly all modern safety critical systems involve these three disiplines.
%
It is intended to be used for analysis of automated safety critical systen
Many types of safety critical systems now legally
require fault mode effects analysis\cite{FMEA},
but few formal systems exist and wide-spread take-up is
not yet the norm.\cite{takeup}.
%
Because of its visual nature, it is easy to manipulate and model
complicated conditions that can lead to dangerous failures in
automated systems.
% No need to talk about abstraction yet, just define PLD PROPERLY
The Diagrams described here form the mathematical basis for a new visual and formal system
for the analysis of safety critical software and hardware systems.
\end{abstract}
%\title{Propositional Logic Diagrams}
%\begin{keyword}
% fault~tree fault~mode EN298 EN61508 EN12067 EN230 UL1998 safety~critical logic euler venn propositional
%\end{keyword}
%\end{frontmatter}
% In software looking at one condition means lots of dont care situations
% in static analysis we look at given sub-sets of faults and assume the other faults
% are not active.
% This is a major cultural difference !
% it deserves a whole chapter.
\section{Introduction}
Propositional Logic Diagrams (PLDs) have been devised
to collect and simplfy fault~modes in safety critical systems undergoing
static analysis\cite{FMEA}\cite{SIL}.
This type of analysis treats failure modes within a system as logical
states. PLD provides a visual method for modelling failure~mode analysis
within these systems, and specifically
identifying common failure symptoms in a user friendly way.
Contrasting this to looking at many propositional logic equations directly
in a text editor or spreadsheet, a visual method is percieved as being more intuitive.
%Traditional set theory is often represented by Euler\cite{euler} or Spider\cite{spider}
%diagrams. These use contours to describe inclusion in a set.may be merged and create a
%Propositional Logic Diagrams (PLDs) use named contours represent a logical conditions.
%Where an Euler diagram would use
%overlapping contours to represent inclusion in sets,
%PLDs use these to represent conjunction of the conditions.
%Named reference points may be placed onto the diagram,
%these represent test cases for conjunction.
%These can be joined by lines to apply disjunction.
%In a spider diagram the lines would represent that the object represented coul;d belong to either set.
%in a PLD it means that the logical conditions represent disjuction; a boolean OR condition.
%these points may be joined.
PLDs use three visual features that
can be combined to represent logic equations. Closed contours, test cases, and lines that
link test cases.
All features may be labelled, and the labels must be unique within a diagram, however contours may be repeated in the diagram.
%Aditionally a label begining with the `$\neg$' character, applied only to a contour, represents negation.
%Regions defined by contours are used to represent given conjunctive logical conditions.
Test cases are marked by asterisks. These are used as a visual `anchor'
to mark a logical condition, the logical condition being defined by the contours
that enclose the region on which the test~case has been placed.
The contours that enclose represent conjuction.
Test~cases may be connected by joining lines. These lines represent disjunction (Boolean `OR') of
test~cases.
With these three visual syntax elements, we have the basic building blocks for all logic equations possible.
\begin{description}
\item Test cases - Points on the plane indicating a logical condition.
\item Conjunction - Overlapping contours
\item Disjunction - Joining of named test cases.
%\item Negation - Countours negatively named
\end{description}
% Because of this
% we have the complete suite of logical primitives here, conjunction, disjuction and negation.
% Form these complex logic equations can be respresented in 2D.
% Another advantage of this is being able to describe `don't care' conditions.
% Very often in digital hardware design, or in a computer program
% many logical conditions are `don't care'.
% These are difficult to specify in set theory.
\section{Formal Description of PLD}
Definitions of conrete and abstract PLD's follow.
Well-formedness conditions for PLD's are separated from this definition, because of
practical differences between the way they are used to represent software as opposed to
representing electronics and mechanical systems.
\subsection{Concrete PLD Definition}
A concrete {\em Propositional logic diagram} is a set of labeled {\em contours}
(closed curves) in the plane. The minimal regions formed by the closed curves
can by occupied by `test points'.
The `test points' may be joined by joining lines.
A group of `test points' connected by joining lines
is defined as a `test point disjunction' or Spider.
Spiders may be labeled.
To differentiate these from common Euler diagram notation (normally used to represent set theory)
the curves are drawn using dotted and dashed lines.
\subsection{ PLD Definition}
In English:
The elements that can be found in a PLD diagram are a number of contours,
a number of test points and joining lines that connect
test points.
{
\definition{A concrete PLD $d$ is a set comprising of a set of
closed curves $C=C(d)$, a set of test points $T=T(d)$ and
a set of test point joining lines $J=J(d)$.
$$d=\{C,T,J\}$$
}
}
In English:
Each element of the diagram has a unique label within the diagram.
%Thus the set of labels found in a diagram is
%a subset of the powerset of characters that can be present in a label.
%{
%\definition{ $ \mathcal{F}_{d}:C(d) \rightarrow \mathcal{P}\Lambda$ is a
%function associating a label drawn from an infinite
%set of labels $\Lambda$.
%}
%}
%In English:
%A minimal region of a PLD diagram d is a
%region bounded by curves.
%connected component of $\mathbb{R}^{2} - \; \bigcup_{c \in C(d)} c$
%That is to say the complement of all other regions is subtracted from the plane.
%- Or in another way- that smallest area defined by the curves that enclose it
%% \hat is used to indicate CONCRETE
{
\definition{
A minimal region of concrete PLD diagram d is a connected component of
$$ \mathbb{R}^{2} - \; \bigcup_{\hat{c} \in \hat{C}(\hat{d})}\hat{c}$$
% I.e. The contours break the connectivity
}
}
{
\definition
{
Let d be a PLD and $ \mathcal{X} \subseteq \hat{C}(\hat{d})$ a set of countours.
If the set
$$ \hat{z} = \bigcap_{c \in \mathcal{X}}
{interior}
(\hat{c})
\; \cup \;
\bigcap_{\hat{c} \in \hat{C}-X}
exterior (\hat{c})
$$
is non empty, then $\hat{z}$ is a concrete zone of $\hat{d}$. A zone is a union of minimal regions. The set of all concrete zones of $\hat{d}$
is denoted $ \hat{\mathcal{Z}} $.
% NOT interested in labelling the zones.
% but am interested in
%The set of labels associated with the contours in $\mathcal{X}$ is the zone label set $\hat{\mathcal{Z}}(\hat{z})$
%of $\hat{z}$.
%$$ \hat{\mathcal{L}}(\hat{z}) = \bigcup_{\hat{c} \in \mathcal{X}} \mathcal{F}_{d}(\hat{c}) $$
%
% So Z is the set of all available for use ZONES; great !
}
}
Each minimal region in the plane may be inhabited by one or more `test points'.
% One or more because in software the same logical conditions mean existing in the same
% region. For electroincs or mechanical, one test point per region is
% mandatory. How to describe ?????
Each test point can be associated with the set of contours that enclose it.
%defined the minimal region it inhabits.
{
\definition{ $ \mathcal{Z}_{d}:T(d)\rightarrow \mathcal{C}$ is a function
associating a testpoint with a set of contours in the plane. This corresponds to the interior of the contours defining the zone.
}
}
Pairs of test points may be joined by joining lines.
The operator $\stackrel{join}{\leftrightarrow}$ is used to
show that two points are joined by a line in the concrete diagram.
{
\definition{
$ \mathcal{F}_{j}$ is a function
associating a joining line with a pair of test points. The Join t1,t2 is defined as
%$$ \mathcal{F}_{d}:J(d)\rightarrow \{t1,t2\ | t1 \in T(d) \wedge t2 \in T(d) \wedge t1 \neq t2 %\wedge t1 \stackrel{join}{\leftrightarrow} t2\} $$
$$ \mathcal{F}_{d}:J(d)\rightarrow \{t1,t2\ | t1 \in T(d) \wedge t2 \in T(d) \wedge t1 \neq t2 \} $$
}
}
In English:
Test points on the concrete diagram pair-wise connected by a `joining line'
A collection of test points connected by joining lines, is an Fuctionally Merged Group, $FMG$
or `test point disjunction'.
An $FMG$ has members which are test points.
{may be merged
and create a
\definition{
%A spider is a set of test points where,
%a test point is a member of a spider where it can trace a path connected by joining lines
%to another member of the spider. A singleton test point can be considered a spider.
Let d be a PLD : An $FMG$ is a maximal set of test points in d where
the test points belong to a sequence connected by joining lines such that:
$$ t_i \stackrel{join}{\leftrightarrow} t_n, for \; i = 1, ..., n $$
OR consider an $FMG$ as a tree whose nodes are test points.
}
}
A singleton test point can be considered a sequence of one test point and is therefore also an $FMG$.
% \subsection{Abstract Description of PLD}
%
% An Abstract PLD {\em Propositional logic diagram} consists of contours $C$ defining zones $Z$, test points $T$ (which
% are defined by the zone they inhabit) and pair wise connections $W$, which connect test points.
% Collections of test points, linked by shared conecting lines, form a set of test point groups $G$.
%
% A Zone defined by the contours that enclose it in the concrete diagram.
%
% $$ Z \subseteq C $$
%
% A test point $t \in T$ in habits a zone on the diagram.
%
% $$ \eta(t) = Z $$
%
% A joining line $$ w \in W $$ joins test points.
%
% $$ w = t1 \stackrel{join}{\rightarrow} t2 | t1 \neq t2 \wedge t1 \in T \wedge t2 \in T $$
%
% A test point group $g \in G$ is defined by test points linked by shared connecting lines.
\subsection{Semantics of PLD}
\begin{itemize}
\item A closed curve in a PLD represents a condition (logical state) being modelled.
\item A test point represents the conjunction of the conditions represented by the curves that enclose it.
\item A $FMG$ represents the disjunction of all test points that are members of it.
\end{itemize}
To obtain the set of propositions from a PLD, each $FMG$ must be processed. For each test case
in the $FMG$ a new section of the equation is disjuctively appended to it.
Let conjunctive logic equation associated with a test point
be determined from the contours that enclose it.
i.e. the contours $\mathcal{X}$ from the zone it inhabits.
{
\definition{
Let $\mathcal{F}_{t}$ be a function mapping a test point to a proposition / logical equation $p \in P$.
The test point inhabits the zone $\mathcal{Z}$ which is a collection of contours (the contours that enclose the test point.
$$ \mathcal{F}:T \rightarrow P $$
%$$ \mathcal{F}(t): p = \bigwedge_{c \in \mathcal{Z}} \Lambda c $$
$$ \mathcal{F}(t): p = \bigwedge_{c \in \mathcal{Z}} c $$
}
}
In English:
Thus a `test point' enclosed by contours labelled $a,b,c$ would be represented by the logic equation
$ a \wedge b \wedge c $.
{
\definition{
Let $\mathcal{G}_{fmg}$ be a function that returns a logic equation for a given $FMG$
$fmg$ in the diagram, where an FMG is a non empty set of test points
% $t$ is a `test point'
$$ \mathcal{G}:FMG \rightarrow P_{fmg} $$
The logic equation representing an FMG $p_{fmg}$ can be determined thus.
$$\mathcal{G}_{fmg}(fmg) = \bigvee_{t \in fmg} (\; \mathcal{F}_{t} (t) \;) $$
}
}
The abstract PLD diagram is a set of logic equations representing all FMGs,
along with unused zones (i.e. zones that are not inhabited by FMGs).
{
\definition{
\label{FMGderivation}
A diagram can be reduced to a collection of $FMG$s.
A new diagram can be derived from this, replacing a contour for each FMG.
This diagram is at one higher level of abstraction then the diagram that
it was produced from.
}
}
\section{Example Diagrams}
\subsection {How to read a PLD diagram}
PLD diagrams are read by first looking at the test case points.
The test case asterisk will be enclosed by one or more contours.
These contours are collected and form the logical conjunction
equation for the test case.
These test case points thus represent the conjunctive aspects
of an equation defined in a PLD. Where these test cases are joined by lines;
these represent disjunction of the conjunctive aspects defined by the test cases.
Joining lines thus represent dis-junction in a PLD.
%Where negation and assertion of a logical condition is required in the same diagram, a separate contour can be created, which is
%..assigned the same name as its positive counter part, but preceded by a negation `$\neg$' sign.
%Obviously were a drawing to show conjunction of a contour and its complement
%this would result in a contradiction for any test case placed on it, and would be a visual `syntax error'.
%Note that negation is handled explicitly. This is to allow `don't care'
%conditions. Should a test case be outside a contour, that contour is a `don't care' condition.
%In a PLD, contours may be represented in complement, to provide
%logical negation. Here the contour name is begun with the negation symbol `$\neg$'.
%%To represent conjunction of logical conditions (Boolean `AND'), contours may be overlapped.
%Providing explicit negation, in addition to disjunction and conjunction
%allows us to represent `don't care' or `tri-state' logical conditions. Simply by
%not using the conditions we are not interested in they are `don't care'.
%
%\section{Example Logic Diagrams}
\subsection{ Logical AND example }
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 279 247]{ldand.jpg}
% ldand.jpg: 279x247 pixel, 72dpi, 9.84x8.71 cm, bb=0 0 279 247
\label{fig:ld_and}
\end{figure}
% \begin{figure}[h+]
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{ldand.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
%
% %\includegraphics[scale=0.6]{ldand.eps}
% \caption{Logical AND}
% \label{fig:ld_and}
% \end{figure}
In the diagram \ref{fig:ld_and} the area of intersection between the contours $a$ and $b$
represents the conjunction of those conditions. The point $P$ represents the logic equation
$$ P = (a \wedge b) $$
There are no disjunctive joining lines and so this diagram represents one equation only, $ P = (a \wedge b) $.
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, this could be considered to be a sub-system with two failure states $a$ and $b$.
The proposition $P$ considers the scenario where both failure~modes are active.
\clearpage
\subsection { Logical OR example }
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 476 264]{ldor.jpg}
% ldor.jpg: 476x264 pixel, 72dpi, 16.79x9.31 cm, bb=0 0 476 264
\label{fig:ld_or}
\end{figure}
% \begin{figure}[h+]
% %\centering
% %\input{ldor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{ldor.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.60]{ldor.eps}
% \caption{Logical OR}
% \label{fig:ld_or}
% \end{figure} % OR
The diagram \ref{fig:ld_or} is converted to Boolean logic by first looking at the test cases, and
the contours they are placed on.
$$ P = (a) $$
$$ Q = (b) $$
The two test cases are joined by a the line named $R$.
we thus apply disjunction to the test cases.
$$ R = P \vee Q $$
substituting the test cases for their Boolean logic equations gives
$$ R = ((a) \vee (b)) $$.
\clearpage
\subsection {Labels and useage}
In diagram \ref{fig:ld_meq} Z and W were labeled but were not necessary for the final expression
of $ R = b \vee c $. The intended use of these diagrams, is that resultant logical conditions be used in a later stage of reasoning.
Test cases joined by disjunction, all become represented in one, resultant equation.
Therefore only test cases not linked by any disjunctive joining lines need be named.
The diagram \ref{fig:ld_meq} can therefore be represented as in diagram \ref{fig:ld_meq2}, with
two unnamed test cases.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 572 297,scale=0.7,keepaspectratio=true]{ldmeq2.jpg}
% ldmeq2.jpg: 572x297 pixel, 72dpi, 20.18x10.48 cm, bb=0 0 572 297
\label{fig:ld_meq2}
\end{figure}
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0pt 0pt 600pt 600pt]{ldmeq2.jpg}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldmeq2.eps}
% \caption{Several Logical Expressions with unamed test cases}
% \label{fig:ld_meq2}
% \end{figure}
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, this could be considered to be a sub-system with two failure states $a$ and $b$.
The proposition $P$ considers the scenario where either failure~mode is active.
Additionally it says that either failure mode $a$ or $b$ being active
will have a resultant effect $R$ on the sub-system. Note that the effect
of $a$ and $b$ both being active is not defined on this diagram.
\clearpage
\subsection { Repeated Contour example }
Repeated contours are allowed in PLD diagrams.
Logical contradictions or tautologies can be detected automatically by
a software tool which assists in drawing these diagrams.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 485 206]{repeated.jpg}
% repeated.jpg: 539x229 pixel, 80dpi, 17.11x7.27 cm, bb=0 0 485 206
\label{fig:repeat}
\end{figure}
% \begin{figure}[h]
% \centering
% \includegraphics[bb=0 0 486 206]{./repeated.jpg}
% % repeated.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 486 206
% \label{fig:repeated}
% \end{figure}
The diagram \ref{fig:repeat} is converted to Boolean logic by first looking at the test cases, and
the contours they are placed on.
$$ P = (b) $$
$$ Q = (a) \wedge (c) $$
The two test cases are joined by a the line named $R1$.
we thus apply disjunction to the test cases.
$$ R1 = P \vee Q $$
$$ R1 = b \vee ( a \wedge c ) $$.
$R2$ joins two other test cases
$$R2 = a \vee c $$
The test~case residing in the intersection of countours $B$ and $A$
represents the logic equation $R3 = a \wedge b$.
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, $R2$ is the symptom of either failure~mode $A$ or $C$
occurring. $R1$ is the symptom of $B$ or $A \wedge C$ occurring.
There is an additional symptom, that of the test case in $A \wedge B$.
\clearpage
\subsection { Inhibit Failure }
Very often a failure mode can only occurr
given a searate environmental condition.
In Fault Tree Analysis (FTA) this is represented by an inhibit gate.
\begin{figure}[h]
\centering
\includegraphics[bb=0 0 364 227]{inhibit.jpg}
% inhibit.jpg: 404x252 pixel, 80dpi, 12.83x8.00 cm, bb=0 0 364 227
\label{fig:inhibit}
\end{figure}
%
% \begin{figure}[h]
% \centering
% \includegraphics[bb=0 0 364 228]{./inhibit.jpg}
% % inhibit.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 364 228
% \label{fig:inhibit}
% \end{figure}
The diagram \ref{fig:inhibit} has a test case in the contour $C$.
Contour $C$ is enclosed by contour $A$. This says
that for failure~mode $C$ to occur failure mode $A$
must have occurred.
A well known example of this is the space shuttle `O' ring failure that
caused the 1986 challenger disaster \cite{wdycwopt}.
For the failure mode to occurr the ambiant temperature had to
be below a critical value.
If we take the failure mode of the `O' ring to be $C$
and the temperature below critical to be $A$, we can see that
the low temperature failure~mode $C$ can only occurr if $A$ is true.
The `O' ring could fail in a different way independant of the critical temperature and this is
represented, for the sake of this example, by contour $D$.
In terms of propositional logic, the inhibit gate of FTA, and the countour enclosure
of PLD represent {\em implication}.
\\
% \tiny
\vspace{0.3cm}
\begin{tabular}{||c|c|c|c||} \hline \hline
{\em $c$ } & {\em $a$ } & {\em $R1$ } \\ \hline
F & F & T \\ \hline
F & T & T \\ \hline
T & F & F \\ \hline
T & T & T \\ \hline \hline
\end{tabular}
\vspace{0.3cm}
% \normalsize
$$ R1 = c \implies a $$
$$ R2 = a $$
$$ R3 = d $$
\paragraph{How this would be interpreted in failure analysis}
In failure analysis, $R2$ is the symptom of either failure~mode $A$ or $C$
occurring. $R1$ is the symptom of $B$ or $A \wedge C$ occurring.
Note that although R2 is a symptom of the sub-system, on its own
it will not lead to a dangerous failure~mode of the subsystem.
% \subsection { Representing Logical Negation }
%
% \begin{figure}[h+]
% %\centering
% %\input{ldor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{ldneg.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.60]{ldneg.eps}
% \caption{Logical Negation}
% \label{fig:ld_neg}
% \end{figure} % OR
%
% Diagram \ref{fig:ld_neg} represents the logical equation $$ P = a \wedge b \wedge \neg c $$.
%
% \paragraph{How this would be interpreted in failure analysis}
% In failure analysis this test case represents the scenario where failure modes $a$ and $b$
% are active but $c$ is not.
%
%
%
% \clearpage
% \subsection { Logical XOR example }
%
% An exclusive or condition is represented by diagram \ref{fig:ld_xor}.
% The Equations represented are as follows.
%
% firstly looking at the test case points
% $$ P = (\neg a \wedge b) $$
% $$ Q = (\neg b \wedge a) $$
%
% now joining them with the disjuctive line
% $$ R = P \vee Q $$
%
% Giving R as a Boolean equation
% $$ R = (\neg a \wedge b) \vee (\neg b \wedge a) $$
% or taking the symbol $\oplus$ to mean exclusive-or
% $$R = a \oplus b $$
%
%
% % \begin{figure}[h] %% SOMETHING IS WRONG says latex. very helpful tell me what it fucking is then
% % \centering
% % \caption{Example `XOR' Diagram}
% % \includegraphics[scale=0.80]{ldxor.eps}
% % \label{fig:ld_xor}
% % \end{figure} % XOR
%
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% % bb= llx lly urx ury;
% \includegraphics[width=200pt,bb=0pt 0pt 800pt 800pt]{ldxor.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
%
% %\includegraphics[scale=0.4]{ldxor.eps}
% \caption{Logical XOR}
% \label{fig:ld_xor}
% \end{figure}
%
% \clearpage
% \subsection { Logical IMPLICATION example }
%
%
% An implication $a \rightarrow b$ is represented by diagram \ref{fig:ld_imp}.
% The Equations represented are as follows.
%
% Looking at the conjuctive environment of the test cases
% $$P = (\neg a)$$
% $$Q = (b)$$
% From the joining `disjunctive' line R in the diagram.
% $$R = P \vee Q$$
% Leading to
% $$R = (\neg a) \vee (b)$$
% which is the standard logic equation for implication.
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0 0 450 404]{ldimp.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldimp.eps}
% \caption{Logical Implication}
% \label{fig:ld_imp}
% \end{figure}
%
% \tiny
% %\vspace{0.3cm}
% \begin{tabular}{||c|c|c|c||} \hline \hline
%
% {\em $a$ } & {\em $b$ } & {implication \em $(\neg a) \vee (b) $ } \\ \hline
% F & F & T \\ \hline
% F & T & T \\ \hline
% T & F & F \\ \hline
% T & T & T \\ \hline \hline
% \end{tabular}
% %\vspace{0.3cm}
% \normalsize
%
% \clearpage
% \subsection { Diagram representing several Logic Equations Example }
%
%
% bb=0 0 450 404
%
%
% \begin{figure}[h+]
% %\centering
% %\input{millivolt_sensor.tex}
% \begin{center}
% \includegraphics[width=200pt,bb=0pt 0pt 600pt 600pt]{ldmeq.eps}
% % resistor_pld.eps: 0x0 pixel, 300dpi, 0.00x0.00 cm, bb=0 0 450 404
% \end{center}
% %\includegraphics[scale=0.4]{ldmeq.eps}
% \caption{Several Logical Expressions}
% \label{fig:ld_meq}
% \end{figure}
%
% %The effect of using explicit negation, means that a test case being outside a given contour does not imply negation, it implies a `don't care'
% %condition.
%
% Three simple equations are represented in the diagram \ref{fig:ld_dc}.
%
% %The Set of contours $\mho$ represent the `don't care' conditions.
%
% The Equations represented are as follows.
%
% %$$ Q = a \; | \; \mho\{b,c\} $$
%
% %$$ P = b \wedge c \; | \; \mho\{a\} $$
%
% $$ Q = a $$
% $$ P = b \wedge c $$
% $$ R = b \vee c $$
%
% % XXXXXX gives annoying impossible to understand syntax messages
% %\small
% %\bibliography{vmgbibliography,mybib}
% %\bibliography{vmgbibliography}
% %\normalsize
%
\section{Intended use in FMMD}
The intention for these diagrams is that they are used to collect
component faults and combinations thereof, into faults that,
at the module level have the same symptoms.
\subsection{Example Sub-system}
For instance were a `power supply' being analysed there could be several
individual component faults or combinations that lead to
a situation where there is no power. This can be described as a state
of the powersupply being modeelled as NO\_POWER.
These can all be collected by DISJUCNTION, i.e. that this this or this
fault occuring will cause the NO\_POWER fault. Visually this disjuction is
indicated by the joining lines.
As far as the user of the `power supply' is concerned, the power supply has failed
with the failure mode $NO\_POWER$.
The `power supply' module, after this process will have a defined set of
fault modes and may be considered as a component at a higher
level of abstraction. This module can then be combined
with others at the same abstraction level.
Note that because this is a fault collection process
the number of component faults for a module
must be less than or equal to the sum of the number of component faults.
%Typeset in \ \ {\huge \LaTeX} \ \ on \ \ \today
\begin{verbatim}
CVS Revision Identity $Id: logic_diagram.tex,v 1.17 2010/01/06 13:41:32 robin Exp $
\end{verbatim}
Compiled last \today
%\end{document}
%\theend

32
logic_diagram/paper.aux
View File

@ -1,32 +0,0 @@
\relax
\citation{FMEA}
\citation{takeup}
\citation{FMEA}
\citation{SIL}
\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{1}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Formal Description of PLD}{1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Concrete PLD Definition}{2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2} PLD Definition}{2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Semantics of PLD}{3}}
\newlabel{FMGderivation}{{9}{3}}
\@writefile{toc}{\contentsline {section}{\numberline {3}Example Diagrams}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}How to read a PLD diagram}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2} Logical AND example }{4}}
\newlabel{fig:ld_and}{{3.2}{4}}
\@writefile{toc}{\contentsline {paragraph}{How this would be interpreted in failure analysis}{4}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3} Logical OR example }{5}}
\newlabel{fig:ld_or}{{3.3}{5}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Labels and useage}{6}}
\newlabel{fig:ld_meq2}{{3.4}{6}}
\@writefile{toc}{\contentsline {paragraph}{How this would be interpreted in failure analysis}{6}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.5} Repeated Contour example }{7}}
\newlabel{fig:repeat}{{3.5}{7}}
\@writefile{toc}{\contentsline {paragraph}{How this would be interpreted in failure analysis}{7}}
\citation{wdycwopt}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.6} Inhibit Failure }{8}}
\newlabel{fig:inhibit}{{3.6}{8}}
\@writefile{toc}{\contentsline {paragraph}{How this would be interpreted in failure analysis}{8}}
\bibstyle{plain}
\bibdata{vmgbibliography,mybib}
\@writefile{toc}{\contentsline {section}{\numberline {4}Intended use in FMMD}{9}}
\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Example Sub-system}{9}}

541
logic_diagram/paper.log
View File

@ -1,541 +0,0 @@
This is pdfTeXk, Version 3.141592-1.40.3 (Web2C 7.5.6) (format=pdflatex 2009.7.3) 9 JAN 2010 08:58
entering extended mode
%&-line parsing enabled.
**paper.tex
(./paper.tex
LaTeX2e <2005/12/01>
Babel <v3.8h> and hyphenation patterns for english, usenglishmax, dumylang, noh
yphenation, ukrainian, russian, bulgarian, loaded.
(/usr/share/texmf-texlive/tex/latex/base/article.cls
Document Class: article 2005/09/16 v1.4f Standard LaTeX document class
(/usr/share/texmf-texlive/tex/latex/base/size10.clo
File: size10.clo 2005/09/16 v1.4f Standard LaTeX file (size option)
)
\c@part=\count79
\c@section=\count80
\c@subsection=\count81
\c@subsubsection=\count82
\c@paragraph=\count83
\c@subparagraph=\count84
\c@figure=\count85
\c@table=\count86
\abovecaptionskip=\skip41
\belowcaptionskip=\skip42
\bibindent=\dimen102
)
(/usr/share/texmf-texlive/tex/latex/graphics/graphicx.sty
Package: graphicx 1999/02/16 v1.0f Enhanced LaTeX Graphics (DPC,SPQR)
(/usr/share/texmf-texlive/tex/latex/graphics/keyval.sty
Package: keyval 1999/03/16 v1.13 key=value parser (DPC)
\KV@toks@=\toks14
)
(/usr/share/texmf-texlive/tex/latex/graphics/graphics.sty
Package: graphics 2006/02/20 v1.0o Standard LaTeX Graphics (DPC,SPQR)
(/usr/share/texmf-texlive/tex/latex/graphics/trig.sty
Package: trig 1999/03/16 v1.09 sin cos tan (DPC)
)
(/etc/texmf/tex/latex/config/graphics.cfg
File: graphics.cfg 2007/01/18 v1.5 graphics configuration of teTeX/TeXLive
)
Package graphics Info: Driver file: pdftex.def on input line 90.
(/usr/share/texmf-texlive/tex/latex/pdftex-def/pdftex.def
File: pdftex.def 2007/01/08 v0.04d Graphics/color for pdfTeX
\Gread@gobject=\count87
))
\Gin@req@height=\dimen103
\Gin@req@width=\dimen104
)
(/usr/share/texmf-texlive/tex/latex/fancyhdr/fancyhdr.sty
\fancy@headwidth=\skip43
\f@ncyO@elh=\skip44
\f@ncyO@erh=\skip45
\f@ncyO@olh=\skip46
\f@ncyO@orh=\skip47
\f@ncyO@elf=\skip48
\f@ncyO@erf=\skip49
\f@ncyO@olf=\skip50
\f@ncyO@orf=\skip51
)
(/usr/share/texmf/tex/latex/pgf/frontendlayer/tikz.sty
(/usr/share/texmf/tex/latex/pgf/basiclayer/pgf.sty
(/usr/share/texmf/tex/latex/pgf/utilities/pgfrcs.sty
(/usr/share/texmf/tex/generic/pgf/utilities/pgfutil-common.tex
\pgfutil@everybye=\toks15
)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfutil-latex.def)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfrcs.code.tex
Package: pgfrcs 2008/02/20 v2.00 (rcs-revision 1.21)
))
Package: pgf 2008/01/15 v2.00 (rcs-revision 1.12)
(/usr/share/texmf/tex/latex/pgf/basiclayer/pgfcore.sty
(/usr/share/texmf/tex/latex/pgf/systemlayer/pgfsys.sty
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys.code.tex
Package: pgfsys 2008/02/07 v2.00 (rcs-revision 1.31)
(/usr/share/texmf/tex/generic/pgf/utilities/pgfkeys.code.tex
\pgfkeys@pathtoks=\toks16
\pgfkeys@temptoks=\toks17
)
\pgf@x=\dimen105
\pgf@y=\dimen106
\pgf@xa=\dimen107
\pgf@ya=\dimen108
\pgf@xb=\dimen109
\pgf@yb=\dimen110
\pgf@xc=\dimen111
\pgf@yc=\dimen112
\c@pgf@counta=\count88
\c@pgf@countb=\count89
\c@pgf@countc=\count90
\c@pgf@countd=\count91
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgf.cfg
File: pgf.cfg 2008/01/13 (rcs-revision 1.6)
)
Package pgfsys Info: Driver file for pgf: pgfsys-pdftex.def on input line 885.
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys-pdftex.def
File: pgfsys-pdftex.def 2007/12/20 (rcs-revision 1.20)
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsys-common-pdf.def
File: pgfsys-common-pdf.def 2007/12/17 (rcs-revision 1.8)
)))
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsyssoftpath.code.tex
File: pgfsyssoftpath.code.tex 2008/01/23 (rcs-revision 1.6)
\pgfsyssoftpath@smallbuffer@items=\count92
\pgfsyssoftpath@bigbuffer@items=\count93
)
(/usr/share/texmf/tex/generic/pgf/systemlayer/pgfsysprotocol.code.tex
File: pgfsysprotocol.code.tex 2006/10/16 (rcs-revision 1.4)
))
(/usr/share/texmf/tex/latex/xcolor/xcolor.sty
Package: xcolor 2007/01/21 v2.11 LaTeX color extensions (UK)
(/etc/texmf/tex/latex/config/color.cfg
File: color.cfg 2007/01/18 v1.5 color configuration of teTeX/TeXLive
)
Package xcolor Info: Driver file: pdftex.def on input line 225.
Package xcolor Info: Model `cmy' substituted by `cmy0' on input line 1337.
Package xcolor Info: Model `hsb' substituted by `rgb' on input line 1341.
Package xcolor Info: Model `RGB' extended on input line 1353.
Package xcolor Info: Model `HTML' substituted by `rgb' on input line 1355.
Package xcolor Info: Model `Hsb' substituted by `hsb' on input line 1356.
Package xcolor Info: Model `tHsb' substituted by `hsb' on input line 1357.
Package xcolor Info: Model `HSB' substituted by `hsb' on input line 1358.
Package xcolor Info: Model `Gray' substituted by `gray' on input line 1359.
Package xcolor Info: Model `wave' substituted by `hsb' on input line 1360.
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcore.code.tex
Package: pgfcore 2008/01/15 v2.00 (rcs-revision 1.6)
(/usr/share/texmf/tex/generic/pgf/math/pgfmath.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathcalc.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathutil.code.tex
\pgfmath@box=\box26
)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathparser.code.tex
\pgfmath@stack=\toks18
\c@pgfmath@parsecounta=\count94
\c@pgfmath@parsecountb=\count95
\c@pgfmath@parsecountc=\count96
\pgfmath@parsex=\dimen113
)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathoperations.code.tex
(/usr/share/texmf/tex/generic/pgf/math/pgfmathtrig.code.tex)
(/usr/share/texmf/tex/generic/pgf/math/pgfmathrnd.code.tex))
(/usr/share/texmf/tex/generic/pgf/math/pgfmathbase.code.tex)))
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepoints.code.tex
File: pgfcorepoints.code.tex 2008/02/03 (rcs-revision 1.13)
\pgf@picminx=\dimen114
\pgf@picmaxx=\dimen115
\pgf@picminy=\dimen116
\pgf@picmaxy=\dimen117
\pgf@pathminx=\dimen118
\pgf@pathmaxx=\dimen119
\pgf@pathminy=\dimen120
\pgf@pathmaxy=\dimen121
\pgf@xx=\dimen122
\pgf@xy=\dimen123
\pgf@yx=\dimen124
\pgf@yy=\dimen125
\pgf@zx=\dimen126
\pgf@zy=\dimen127
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathconstruct.code.tex
File: pgfcorepathconstruct.code.tex 2008/02/13 (rcs-revision 1.14)
\pgf@path@lastx=\dimen128
\pgf@path@lasty=\dimen129
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathusage.code.tex
File: pgfcorepathusage.code.tex 2008/01/23 (rcs-revision 1.11)
\pgf@shorten@end@additional=\dimen130
\pgf@shorten@start@additional=\dimen131
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorescopes.code.tex
File: pgfcorescopes.code.tex 2008/01/15 (rcs-revision 1.26)
\pgfpic=\box27
\pgf@hbox=\box28
\pgf@layerbox@main=\box29
\pgf@picture@serial@count=\count97
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoregraphicstate.code.tex
File: pgfcoregraphicstate.code.tex 2007/12/12 (rcs-revision 1.8)
\pgflinewidth=\dimen132
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoretransformations.code.tex
File: pgfcoretransformations.code.tex 2008/02/04 (rcs-revision 1.10)
\pgf@pt@x=\dimen133
\pgf@pt@y=\dimen134
\pgf@pt@temp=\dimen135
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorequick.code.tex
File: pgfcorequick.code.tex 2006/10/11 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreobjects.code.tex
File: pgfcoreobjects.code.tex 2006/10/11 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepathprocessing.code.tex
File: pgfcorepathprocessing.code.tex 2008/01/23 (rcs-revision 1.7)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorearrows.code.tex
File: pgfcorearrows.code.tex 2007/06/07 (rcs-revision 1.8)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreshade.code.tex
File: pgfcoreshade.code.tex 2007/12/10 (rcs-revision 1.9)
\pgf@max=\dimen136
\pgf@sys@shading@range@num=\count98
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoreimage.code.tex
File: pgfcoreimage.code.tex 2008/01/15 (rcs-revision 1.1)
\pgfexternal@startupbox=\box30
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorelayers.code.tex
File: pgfcorelayers.code.tex 2008/01/15 (rcs-revision 1.1)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcoretransparency.code.tex
File: pgfcoretransparency.code.tex 2008/01/17 (rcs-revision 1.2)
)
(/usr/share/texmf/tex/generic/pgf/basiclayer/pgfcorepatterns.code.tex
File: pgfcorepatterns.code.tex 2008/01/15 (rcs-revision 1.1)
)))
(/usr/share/texmf/tex/generic/pgf/modules/pgfmoduleshapes.code.tex
File: pgfmoduleshapes.code.tex 2008/02/13 (rcs-revision 1.4)
\pgfnodeparttextbox=\box31
\toks@savedmacro=\toks19
)
(/usr/share/texmf/tex/generic/pgf/modules/pgfmoduleplot.code.tex
File: pgfmoduleplot.code.tex 2008/01/15 (rcs-revision 1.1)
\pgf@plotwrite=\write3
)
(/usr/share/texmf/tex/latex/pgf/compatibility/pgfcomp-version-0-65.sty
Package: pgfcomp-version-0-65 2007/07/03 v2.00 (rcs-revision 1.7)
\pgf@nodesepstart=\dimen137
\pgf@nodesepend=\dimen138
)
(/usr/share/texmf/tex/latex/pgf/compatibility/pgfcomp-version-1-18.sty
Package: pgfcomp-version-1-18 2007/07/23 v2.00 (rcs-revision 1.1)
))
(/usr/share/texmf/tex/latex/pgf/utilities/pgffor.sty
(/usr/share/texmf/tex/generic/pgf/utilities/pgffor.code.tex
Package: pgffor 2007/11/07 v2.00 (rcs-revision 1.8)
\pgffor@iter=\dimen139
\pgffor@skip=\dimen140
))
(/usr/share/texmf/tex/generic/pgf/frontendlayer/tikz/tikz.code.tex
Package: tikz 2008/02/13 v2.00 (rcs-revision 1.27)
(/usr/share/texmf/tex/generic/pgf/libraries/pgflibraryplothandlers.code.tex
File: pgflibraryplothandlers.code.tex 2007/03/09 v2.00 (rcs-revision 1.9)
\pgf@plot@mark@count=\count99
\pgfplotmarksize=\dimen141
)
\tikz@lastx=\dimen142
\tikz@lasty=\dimen143
\tikz@lastxsaved=\dimen144
\tikz@lastysaved=\dimen145
\tikzleveldistance=\dimen146
\tikzsiblingdistance=\dimen147
\tikz@figbox=\box32
\tikz@tempbox=\box33
\tikztreelevel=\count100
\tikznumberofchildren=\count101
\tikznumberofcurrentchild=\count102
\tikz@fig@count=\count103
(/usr/share/texmf/tex/generic/pgf/modules/pgfmodulematrix.code.tex
File: pgfmodulematrix.code.tex 2008/01/15 (rcs-revision 1.1)
\pgfmatrixcurrentrow=\count104
\pgfmatrixcurrentcolumn=\count105
\pgf@matrix@numberofcolumns=\count106
)
\tikz@expandcount=\count107
(/usr/share/texmf/tex/generic/pgf/frontendlayer/tikz/libraries/tikzlibrarytopat
hs.code.tex
File: tikzlibrarytopaths.code.tex 2008/01/09 v2.00 (rcs-revision 1.1)
))) (/usr/share/texmf-texlive/tex/latex/amsfonts/amsfonts.sty
Package: amsfonts 2001/10/25 v2.2f
\@emptytoks=\toks20
\symAMSa=\mathgroup4
\symAMSb=\mathgroup5
LaTeX Font Info: Overwriting math alphabet `\mathfrak' in version `bold'
(Font) U/euf/m/n --> U/euf/b/n on input line 132.
)
(/usr/share/texmf-texlive/tex/latex/amsmath/amsmath.sty
Package: amsmath 2000/07/18 v2.13 AMS math features
\@mathmargin=\skip52
For additional information on amsmath, use the `?' option.
(/usr/share/texmf-texlive/tex/latex/amsmath/amstext.sty
Package: amstext 2000/06/29 v2.01
(/usr/share/texmf-texlive/tex/latex/amsmath/amsgen.sty
File: amsgen.sty 1999/11/30 v2.0
\@emptytoks=\toks21
\ex@=\dimen148
))
(/usr/share/texmf-texlive/tex/latex/amsmath/amsbsy.sty
Package: amsbsy 1999/11/29 v1.2d
\pmbraise@=\dimen149
)
(/usr/share/texmf-texlive/tex/latex/amsmath/amsopn.sty
Package: amsopn 1999/12/14 v2.01 operator names
)
\inf@bad=\count108
LaTeX Info: Redefining \frac on input line 211.
\uproot@=\count109
\leftroot@=\count110
LaTeX Info: Redefining \overline on input line 307.
\classnum@=\count111
\DOTSCASE@=\count112
LaTeX Info: Redefining \ldots on input line 379.
LaTeX Info: Redefining \dots on input line 382.
LaTeX Info: Redefining \cdots on input line 467.
\Mathstrutbox@=\box34
\strutbox@=\box35
\big@size=\dimen150
LaTeX Font Info: Redeclaring font encoding OML on input line 567.
LaTeX Font Info: Redeclaring font encoding OMS on input line 568.
\macc@depth=\count113
\c@MaxMatrixCols=\count114
\dotsspace@=\muskip10
\c@parentequation=\count115
\dspbrk@lvl=\count116
\tag@help=\toks22
\row@=\count117
\column@=\count118
\maxfields@=\count119
\andhelp@=\toks23
\eqnshift@=\dimen151
\alignsep@=\dimen152
\tagshift@=\dimen153
\tagwidth@=\dimen154
\totwidth@=\dimen155
\lineht@=\dimen156
\@envbody=\toks24
\multlinegap=\skip53
\multlinetaggap=\skip54
\mathdisplay@stack=\toks25
LaTeX Info: Redefining \[ on input line 2666.
LaTeX Info: Redefining \] on input line 2667.
)
(/usr/share/texmf-texlive/tex/latex/amscls/amsthm.sty
Package: amsthm 2004/08/06 v2.20
\thm@style=\toks26
\thm@bodyfont=\toks27
\thm@headfont=\toks28
\thm@notefont=\toks29
\thm@headpunct=\toks30
\thm@preskip=\skip55
\thm@postskip=\skip56
\thm@headsep=\skip57
\dth@everypar=\toks31
) (./style.tex
LaTeX Font Info: Redeclaring symbol font `AMSb' on input line 34.
LaTeX Font Info: Overwriting symbol font `AMSb' in version `normal'
(Font) U/msb/m/n --> U/msb/m/n on input line 34.
LaTeX Font Info: Overwriting symbol font `AMSb' in version `bold'
(Font) U/msb/m/n --> U/msb/m/n on input line 34.
\c@examplec=\count120
\c@definitionc=\count121
\c@summaryc=\count122
\c@example=\count123
\c@definition=\count124
)
(./paper.aux)
\openout1 = `paper.aux'.
LaTeX Font Info: Checking defaults for OML/cmm/m/it on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for T1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OT1/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMS/cmsy/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for OMX/cmex/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
LaTeX Font Info: Checking defaults for U/cmr/m/n on input line 11.
LaTeX Font Info: ... okay on input line 11.
(/usr/share/texmf/tex/context/base/supp-pdf.tex
[Loading MPS to PDF converter (version 2006.09.02).]
\scratchcounter=\count125
\scratchdimen=\dimen157
\scratchbox=\box36
\nofMPsegments=\count126
\nofMParguments=\count127
\everyMPshowfont=\toks32
\MPscratchCnt=\count128
\MPscratchDim=\dimen158
\MPnumerator=\count129
\everyMPtoPDFconversion=\toks33
)
LaTeX Font Info: Try loading font information for U+msa on input line 20.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsa.fd
File: umsa.fd 2002/01/19 v2.2g AMS font definitions
)
LaTeX Font Info: Try loading font information for U+msb on input line 20.
(/usr/share/texmf-texlive/tex/latex/amsfonts/umsb.fd
File: umsb.fd 2002/01/19 v2.2g AMS font definitions
)
(./logic_diagram_paper.tex
LaTeX Warning: Citation `FMEA' on page 1 undefined on input line 17.
LaTeX Warning: Citation `takeup' on page 1 undefined on input line 19.
LaTeX Warning: Citation `FMEA' on page 1 undefined on input line 48.
LaTeX Warning: Citation `SIL' on page 1 undefined on input line 48.
[1
{/var/lib/texmf/fonts/map/pdftex/updmap/pdftex.map}] [2]
LaTeX Font Info: Try loading font information for OMS+cmr on input line 282.
(/usr/share/texmf-texlive/tex/latex/base/omscmr.fd
File: omscmr.fd 1999/05/25 v2.5h Standard LaTeX font definitions
)
LaTeX Font Info: Font shape `OMS/cmr/m/n' in size <10> not available
(Font) Font shape `OMS/cmsy/m/n' tried instead on input line 282.
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 379.
<ldand.jpg, id=27, 280.04625pt x 247.92625pt>
File: ldand.jpg Graphic file (type jpg)
<use ldand.jpg> [3] [4 <./ldand.jpg>]
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 409.
<ldor.jpg, id=34, 477.785pt x 264.99pt>
File: ldor.jpg Graphic file (type jpg)
<use ldor.jpg>
Overfull \hbox (22.54091pt too wide) in paragraph at lines 409--412
[][]
[]
LaTeX Warning: Reference `fig:ld_or' on page 5 undefined on input line 427.
[5
<./ldor.jpg>]
LaTeX Warning: Reference `fig:ld_meq' on page 6 undefined on input line 443.
LaTeX Warning: Reference `fig:ld_meq' on page 6 undefined on input line 448.
LaTeX Warning: Reference `fig:ld_meq2' on page 6 undefined on input line 448.
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 453.
<ldmeq2.jpg, id=38, 574.145pt x 298.11375pt>
File: ldmeq2.jpg Graphic file (type jpg)
<use ldmeq2.jpg> [6
<./ldmeq2.jpg>]
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 495.
<repeated.jpg, id=42, 486.91913pt x 206.87288pt>
File: repeated.jpg Graphic file (type jpg)
<use repeated.jpg>
Overfull \hbox (31.57466pt too wide) in paragraph at lines 495--498
[][]
[]
LaTeX Warning: Reference `fig:repeat' on page 7 undefined on input line 509.
[7
<./repeated.jpg>]
Package pdftex.def Warning: Option `bb' does not make sense,
(pdftex.def) using `viewport' instead on input line 544.
<inhibit.jpg, id=47, 364.9635pt x 227.6505pt>
File: inhibit.jpg Graphic file (type jpg)
<use inhibit.jpg>
LaTeX Warning: Reference `fig:inhibit' on page 8 undefined on input line 556.
LaTeX Warning: Citation `wdycwopt' on page 8 undefined on input line 561.
[8
<./inhibit.jpg>])
No file paper.bbl.
[9] (./paper.aux)
LaTeX Warning: There were undefined references.
LaTeX Warning: Label(s) may have changed. Rerun to get cross-references right.
)
Here is how much of TeX's memory you used:
8211 strings out of 94834
138420 string characters out of 1179182
186929 words of memory out of 1500000
11211 multiletter control sequences out of 10000+50000
12986 words of font info for 50 fonts, out of 1200000 for 2000
212 hyphenation exceptions out of 8191
47i,11n,49p,350b,269s stack positions out of 5000i,500n,6000p,200000b,5000s
</usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmbx10.pfb></usr/share/texmf
-texlive/fonts/type1/bluesky/cm/cmbx12.pfb></usr/share/texmf-texlive/fonts/type
1/bluesky/cm/cmbx9.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmex10.
pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmmi10.pfb></usr/share/tex
mf-texlive/fonts/type1/bluesky/cm/cmmi7.pfb></usr/share/texmf-texlive/fonts/typ
e1/bluesky/cm/cmr10.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr12.
pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmr17.pfb></usr/share/texm
f-texlive/fonts/type1/bluesky/cm/cmr7.pfb></usr/share/texmf-texlive/fonts/type1
/bluesky/cm/cmr9.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmsl10.pf
b></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmsy10.pfb></usr/share/texmf
-texlive/fonts/type1/bluesky/cm/cmsy7.pfb></usr/share/texmf-texlive/fonts/type1
/bluesky/cm/cmti10.pfb></usr/share/texmf-texlive/fonts/type1/bluesky/cm/cmtt10.
pfb></usr/share/texmf-texlive/fonts/type1/bluesky/ams/msbm10.pfb>
Output written on paper.pdf (9 pages, 211917 bytes).
PDF statistics:
108 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 131072)
38 words of extra memory for PDF output out of 10000 (max. 10000000)

7705
pt100/pt100.log
View File

File diff suppressed because it is too large Load Diff

312
pt100/pt100.tex.backup
View File

@ -1,312 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a wisely used industrial temperature sensor that is
are slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double simultaneous faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrasms to aid in the reasoning process, which takes
the failure modes of the components, and produces a
failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itsself, with a set of know failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100/pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit consists of teo resistors supplying
a current to a third, the thermistor or PT100. By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
current resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./pt100/vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage range}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading for a given temperature span.
\subsection{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons the four wire circiut is used
because of resistance in the cables. Resitance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop. The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{I}{V}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distict ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
\label{fmea}
Looking at this circuit, it simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of his analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_p$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low & Low & Both values out of range \\ \hline
\hline
$R_p$ SHORT & Low & High & Both values out of range \\ \hline
$R_p$ OPEN & High & Low & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low & Value Out of Range Value \\
$R_2$ OPEN & High & High & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
will cause a common symptom, that of one or more of the values being out of range.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}. So by defining an acceptable measurement/temperature range, and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\subsection{Single Fault Modes as PLD}
% Place in PLD diagram
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of ohms{100} at 0 \oc \cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {-100\oc} to {300\oc}.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{60.28}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
{-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
& & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Mid Range \\
& & 2002\adctw & 2094\adctw & \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\subsection{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six cases and each will be examined in turn.
\subsubsection{ Voltages $R_1$ SHORT }
With pt100 at -100\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+68\Omega} = 4.85V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_p$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ Voltages $R_p$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsubsection{ Voltages $R_2$ SHORT }
With pt100 at -100\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{68\Omega}{2k2+68\Omega} = 0.15V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscibed range.
%\vbox{
%\subsubsection{Calculating Bounds: High Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 + 2200 2200 + p + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\vbox{
%\subsubsection{Calculating Bounds: LOW Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 2200 p 2200 + + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\subsection{Implementation of Four Wire Circuit}
%
%A standard 4 wire PT100\cite[pp 992]{aoe} circuit is read by
%ports on the 12 bit ADC of the PIC18F2523\cite{pic18f2523}.
%Three readings are taken. A reading to confirm the voltage level
%over $R_2$ is taken,
%from which the current can be determined.
%The two sense lines then give the voltage over the PT100 thermistor.
%As we know the current flowing through it we can determine the
%resistance.
%
%After verification (PT100 voltages/readings in range etc) the temperature
%value is determined by interpolation via the PT100 tables \cite{eurothermtables}.
%First order low pass filtering is then applied to smooth the value.
%\section{Water Level Readings - \ft Inputs}
%\label{wl}
%After h/w revision 0.4, water level sensor \ft connections are wired to the TDS daughterboard,
%but are passed to the main unit via a multiplexer, and connect to the
%14 pin harwin (to PIN 13 of JP1 \cite{pcbAI222562}).
%
%The safety critical \ft water~level readings are thus handled in the \wlc.
%
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
typeset in {\Huge \LaTeX} \today

325
pt100/pt100.tex~
View File

@ -1,325 +0,0 @@
%
% Make the revision and doc number macro's then they are defined in one place
\begin{abstract}
The PT100, or platinum wire \ohms{100} sensor is
a wisely used industrial temperature sensor that is
are slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This chapter looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double simultaneous faults (cardinality constrained powerset of 2).
The analysis is performed using Propositional Logic
diagrasms to aid in the reasoning process, which takes
the failure modes of the components, and produces a
failure mode model for the circuit as a whole.
Thus after the analysis the PT100 temperature sensing circuit, may be veiwed
from an FMEA persepective as a component itsself, with a set of know failure modes.
\end{abstract}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./pt100/pt100.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit}
\label{fig:pt100}
\end{figure}
\section{Overview of PT100 four wire circuit}
The PT100 four wire circuit consists of teo resistors supplying
a current to a third, the thermistor or PT100. By measuring volatges
from sections of this circuit forming potential dividers, we can determine the
current resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./pt100/vrange.jpg}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges}
\label{fig:pt100vrange}
\end{figure}
The voltage ranges we expect from from this three stage potential divider
are shown in figure \ref{fig:pt100vrange}. Note that there is
an expected range for each reading for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be reffered to as {\em sense-}
and the higher as {\em sense+}.
\subsection{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons the four wire circiut is used
because of resistance in the cables. Resitance from the supply
causes a slight voltage
drop in the supply to the PT100. As no significant current
is carried by the two `sense' lines the resistance back to the ADC
causes only a negligible voltage drop. The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the PT100, we can calculate its
resistance by ohms law $V=I.R$, $R=\frac{I}{V}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published PT100 tables\cite{eurothermtables}.
\section{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distict ways.
Studies have been published which list common component types
and their sets of failure modes, often with MTTF statistics \cite{mil1991}.
Thus for each component, an analysis is made for each of it failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
\label{fmea}
Looking at this circuit, it simply consists of three resistors.
Resistors according to the DOD Electronic component fault handbook
1991, fail by either going OPEN or SHORT circuit \cite{mil1991}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of his analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_p$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
The Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and predicts an error condition in the readings.
The range 0\oc to 300\oc will be analysed using potential divider equations to
to the out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{PT100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_p$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_p$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
will cause a common symptom, that of one or more of the values being out of range.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range}
and \ref{pt100temp}. So by defining an acceptable measurement/temperature range, and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\subsection{Single Fault Modes as PLD}
% Place in PLD diagram
\subsection{Range and PT100 Calculations}
\label{pt100temp}
PT100 resistors are designed to
have a resistance of ohms{100} at 0 \oc \cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {-100\oc} to {300\oc}.
According to the Eurotherm PT100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{60.28}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
PT100 FMEA analysis in section \ref{fmea}.
As the PT100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$
\begin{table}[ht]
\caption{PT100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{PT100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
{-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
& & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Mid Range \\
& & 2002\adctw & 2094\adctw & \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\subsection{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six cases and each will be examined in turn.
\subsubsection{ Voltages $R_1$ SHORT }
With pt100 at -100\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+68\Omega} = 4.85V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_p$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\subsubsection{ Voltages $R_p$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsubsection{ Voltages $R_2$ SHORT }
With pt100 at -100\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{68\Omega}{2k2+68\Omega} = 0.15V$$
With pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readingare outside the
proscribed range in table \ref{ptbounds}.
\subsubsection{ Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscibed range.
%\vbox{
%\subsubsection{Calculating Bounds: High Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 + 2200 2200 + p + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\vbox{
%\subsubsection{Calculating Bounds: LOW Value : HP48 RPL}
%
%
%HP RPL calculator program to take pt100 resistance
%and convert to voltage and {\adctw} values.
%
%\begin{verbatim}
%<< -> p
% <<
% p 2200 2200 p 2200 + + / 5 * DUP 5
% / 4096 *
% >>
%>>
%\end{verbatim}
%}
%
%\subsection{Implementation of Four Wire Circuit}
%
%A standard 4 wire PT100\cite[pp 992]{aoe} circuit is read by
%ports on the 12 bit ADC of the PIC18F2523\cite{pic18f2523}.
%Three readings are taken. A reading to confirm the voltage level
%over $R_2$ is taken,
%from which the current can be determined.
%The two sense lines then give the voltage over the PT100 thermistor.
%As we know the current flowing through it we can determine the
%resistance.
%
%After verification (PT100 voltages/readings in range etc) the temperature
%value is determined by interpolation via the PT100 tables \cite{eurothermtables}.
%First order low pass filtering is then applied to smooth the value.
%\section{Water Level Readings - \ft Inputs}
%\label{wl}
%After h/w revision 0.4, water level sensor \ft connections are wired to the TDS daughterboard,
%but are passed to the main unit via a multiplexer, and connect to the
%14 pin harwin (to PIN 13 of JP1 \cite{pcbAI222562}).
%
%The safety critical \ft water~level readings are thus handled in the \wlc.
%
\subsection{Single Fault FMEA Analysis of PT100 Four wire circuit}
typeset in {\Huge \LaTeX} \today

2
survey/papaer.tex
View File

@ -1,2 +0,0 @@
:e paper.tex

53
survey/paper.aux
View File

@ -1,53 +0,0 @@
\relax
\citation{aoe}
\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces PT100 four wire circuit}}{1}}
\newlabel{fig:pt100}{{1}{1}}
\@writefile{toc}{\contentsline {section}{\numberline {1}Overview of PT100 four wire circuit}{1}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.1}Accuracy despite variable \\ resistance in cables}{1}}
\citation{eurothermtables}
\citation{mil1991}
\citation{mil1991}
\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces PT100 expected voltage ranges}}{2}}
\newlabel{fig:pt100vrange}{{2}{2}}
\@writefile{toc}{\contentsline {subsection}{\numberline {1.2}Calculating Temperature from \\ the sense line voltages}{2}}
\@writefile{toc}{\contentsline {section}{\numberline {2}Safety case for 4 wire circuit}{2}}
\citation{aoe}
\citation{eurothermtables}
\citation{eurothermtables}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Single Fault FMEA Analysis \\ of PT100 Four wire circuit}{3}}
\newlabel{fmea}{{2.1}{3}}
\@writefile{lot}{\contentsline {table}{\numberline {1}{\ignorespaces PT100 FMEA Single Faults}}{3}}
\newlabel{ptfmea}{{1}{3}}
\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Range and PT100 Calculations}{3}}
\newlabel{pt100temp}{{2.2}{3}}
\@writefile{lot}{\contentsline {table}{\numberline {2}{\ignorespaces PT100 Maximum and Minimum Values}}{4}}
\newlabel{ptbounds}{{2}{4}}
\@writefile{toc}{\contentsline {section}{\numberline {3}Single Fault FMEA Analysis \\ of PT100 Four wire circuit}{4}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Single Fault Modes as PLD}{4}}
\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces PT100 Component Failure Modes}}{4}}
\newlabel{fig:pt100_tc}{{3}{4}}
\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces Voltage Divider}}{5}}
\newlabel{fig:vd}{{4}{5}}
\newlabel{eqn:vd}{{1}{5}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Proof of Out of Range \\ Values for Failures}{5}}
\newlabel{pt110range}{{3.2}{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.1} TC1 : Voltages $R_1$ SHORT }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.2} TC2 : Voltages $R_1$ OPEN }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.3} TC 3 : Voltages $R_2$ SHORT }{5}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.4} TC : 4 Voltages $R_2$ OPEN }{6}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.5} TC 5 : Voltages $R_3$ SHORT }{6}}
\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.2.6} TC 6 : Voltages $R_3$ OPEN }{6}}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Summary of Analysis}{6}}
\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces PT100 Component Failure Modes}}{7}}
\newlabel{fig:pt100_tc_sp}{{5}{7}}
\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces PT100 Circuit Failure Modes : From Single Faults Analysis}}{7}}
\newlabel{fig:pt100_singlef}{{6}{7}}
\citation{mil1991}
\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Mean Time to Failure}{8}}
\@writefile{lot}{\contentsline {table}{\numberline {3}{\ignorespaces PT100 FMEA Single // Fault Statistics}}{8}}
\newlabel{tab:stat_single}{{3}{8}}
\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces Probablistic Fault Tree : PT100 Single Faults}}{8}}
\newlabel{fig:stat_single}{{7}{8}}
\bibstyle{plain}
\bibdata{vmgbibliography,mybib}
\@writefile{toc}{\contentsline {section}{\numberline {4} PT100 Double Simultaneous \\ Fault Analysis}{10}}

BIN
survey/paper.pdf
View File

Binary file not shown.

2
survey/survey.tex
View File

@ -24,7 +24,7 @@ ISBN 0-527-76320-9.
EN298 no two individual component failures may give rise to a dangerous condition. EN298 no two individual component failures may give rise to a dangerous condition.
\section{FMEAD Failure effect Mode Dangerous} \section{FMEDA Failure effect Mode Diagnositic Analysis}
This is a probablistic based methodology. This is a probablistic based methodology.

BIN
thesis.pdf
View File

Binary file not shown.

2
thesis.tex
View File

@ -51,7 +51,7 @@
\input{introduction/introduction} \input{introduction/introduction}
\chapter{An overview of European and North Americans Standards} \chapter{An overview of European and North Americans Standards}
%\input{standards/standards} \input{standards/standards}
\chapter{Statistical Methods and Models} \chapter{Statistical Methods and Models}
%\input{statistics/statistics} %\input{statistics/statistics}