diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex index 7f8a393..a3eb29f 100644 --- a/submission_thesis/CH1_introduction/copy.tex +++ b/submission_thesis/CH1_introduction/copy.tex @@ -102,7 +102,7 @@ In chapter~\ref{sec:chap4}, a new methodology is proposed which addresses the st and using contract programmed software, allows the modelling of integrated software/electrical systems. % -This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition FMMD) +This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition, FMMD) firstly looking at a variety of common electronic circuits and then at electronic/software hybrid systems. } @@ -136,7 +136,7 @@ industrial burners---the design team was faced with a new and daunting requireme Conformance to the latest European standard, EN298~\cite{en298}. % It appeared to ask for the impossible: -not only did it require the usual safety measures (self-checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the +not only did it require the usual safety measures (self-checking of ROM and RAM, watchdog processors with separate clock sources, EMC testing and the triple fail safe control of valves), it had one new clause in it that had far reaching consequences. % It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller @@ -168,8 +168,8 @@ analysis of identical circuitry was performed many times. \subsection{Modularising/De-Composing FMEA: Initial concepts.} % and augmenting this with concepts from Euler/Spider Diagrams.} % In the field of digital signal processing there is an algorithm that revolutionised -access to frequency analysis of digital samples called the Fast Fourier transform (FFT)~\cite{fftoriginal}. -This took the discrete Fourier transform (DFT), and applied de-composition to its +access to frequency analysis of digital samples called the Fast Fourier Transform (FFT)~\cite{fftoriginal}. +This took the Discrete Fourier Transform (DFT), and applied de-composition to its mesh of (often repeated) complex number calculations~\cite{fpodsadsp}[Ch.8]. % By doing this it broke the computing order of complexity down from having a polynomial %n exponential diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index e39c7ea..cdce081 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -98,7 +98,7 @@ These are termed `{\bcs}'; they are considered ``atomic'' i.e. they are not brok % The first requirement for a {\bc} is to define the ways in which it can fail, this relationship %between a {\bc} and its failure modes, -is shown in figure~\ref{fig:component_fm_rel}. +is shown, using UML, in figure~\ref{fig:component_fm_rel}. \fmmdglossBC %DIAGRAM of Base components and failure modes @@ -106,7 +106,7 @@ is shown in figure~\ref{fig:component_fm_rel}. \centering \includegraphics[width=300pt]{./CH2_FMEA/component_fm_rel.png} % component_fm_rel.png: 368x71 pixel, 72dpi, 12.98x2.50 cm, bb=0 0 368 71 - \caption{Base Component to Failure Modes relationship} + \caption{Base Component to Failure Modes relationship UML diagram} \label{fig:component_fm_rel} \end{figure} @@ -306,7 +306,7 @@ as listed below: % Note, that the main cause of resistor value drift is overloading. % of components. -This is borne out in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure +This is borne out in the FMD-91~\cite{fmd91} entry for a resistor network where the failure modes do not include drift. % If it is ensured that resistors will not be exposed to overload conditions, the @@ -392,7 +392,7 @@ has an entry specific to operational amplifiers (FMD-91). EN298 does not specifically define the {\fms} of op-amps but instead has a procedure for determining the {\fms} of -components types not specifically listed in it. +components types not specifically listed. %in it. % Operational amplifiers are typically packaged in dual or quad configurations---meaning that a chip will typically contain two or four amplifiers. @@ -479,7 +479,7 @@ are examined and from this its {\fms} are determined. % that we got from FMD-91, listed in equation~\ref{eqn:opampfms}, except for % $LOW\_SLEW$. % -Collating the op-amp failure modes from table ~\ref{tbl:lm358} the same {\fms} +Collating the op-amp failure modes from table ~\ref{tbl:lm358}, the same {\fms} from FMD-91 are obtained---listed in equation~\ref{eqn:opampfms}---except for $LOW\_SLEW$. \fmmdglossOPAMP @@ -621,10 +621,7 @@ it and choosing the resistor R1 in the OP-AMP gain circuitry: % \includegraphics[width=175pt]{./mvamp.png} % % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 % \end{figure} - - - - \paragraph{FMEA Example: Milli-volt reader} +%\paragraph{FMEA Example: Milli-volt reader} % \begin{figure} % \centering % \includegraphics[width=80pt]{./mvamp.png} @@ -733,7 +730,7 @@ the circuit behaviour is measured in finer granularity, until a faulty component or module~\cite{garrett} is identified. % With this style of fault finding, because it is based on experiment, -hopping from module to module eliminating working ones, until +hopping from module to module eliminating working ones, until a failure is found~\cite{maikowski}, is efficient in terms of concentrating effort. % @@ -747,7 +744,7 @@ FMEA is a theoretical discipline. %AF does not like this! It would be very unusual to build a circuit and then simulate component failure modes. % -This would be time consuming as it would involve building a circuit for each component {\fm} in +This would be time consuming as it would involve altering/building a circuit for each component {\fm} in the system\footnote{Building circuit simulations and simulating component failure modes would be a very time consuming process and might only be performed as a final-stage of accident investigation, where the cause is required to be proven.}. @@ -803,7 +800,7 @@ at mapping potential single component failures to system level faults/events. The concept of the unacceptability of a single component failure causing a system failure % catastrophe, is an important and easily understood measurement of safety. % -They are easy to calculate +Statistics for single failures are easy to calculate because Mean Time to Failure (MTTF) statistics~\cite{fmd91,mil1991} for commonly used components can be found. % Also, used in the design phase of a project, FMEA is a useful tool @@ -1389,7 +1386,7 @@ are actually met for given SIL levels is currently almost impossible~\cite{silsa \item \textbf{Safe or Dangerous.} Failure modes are classified SAFE or DANGEROUS. \item \textbf{Detectable failure modes.} Failure modes are given the attribute DETECTABLE or UNDETECTABLE. \item \textbf{Four attributes for FMEDA Failure Modes.} All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) - \item \textbf{Four statistical properties of a system.} the statistics for the four classifications of system failures are summed: \\ + \item \textbf{Four statistical properties of a system.} The statistics for the four classifications of system failures are summed: \\ $ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$. \\ \end{itemize} @@ -1461,7 +1458,7 @@ by statistically determining how frequently it can fail dangerously. % \label{sec:asil} % -The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as the Automotive SIL (ASIL)~\cite{Kafka20122}. +The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as Automotive SIL (ASIL)~\cite{Kafka20122}. % Safety instrumented functions (SIFs) for vehicles are assigned ASIL ratings. % @@ -1490,7 +1487,7 @@ have independent failure causes and implement redundancy. % for the SIF. % This is in effect a top down de-composition of safety requirements. % -This is rather like the demand for multiple engines on an aircraft +This is rather like the demand for multiple engines on aircraft that must make a long journeys over the sea to statistically limit the likelihood of one failure cause --- i.e. one engine failure --- causing a serious incident. % @@ -1526,7 +1523,7 @@ This could be considered as a design check method, deliberately looking for weaknesses at a theoretical level. % Because design FMEA meetings can have the format of a meeting and discussion -it can have the following drawbacks: +they can have the following drawbacks: %\subsection{DESIGN FMEA: Safety Critical Approvals FMEA} % % \begin{figure}[h] @@ -1540,7 +1537,7 @@ it can have the following drawbacks: \begin{itemize} \item Impossible to look at all component failures let alone apply FMEA exhaustively/rigorously, \item In practice, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented, - \item Often meeting notes or minutes only: unusual for detailed technical arguments to be documented. + \item Often meeting notes or minutes only: it is unusual for detailed technical arguments to be documented. \end{itemize} % % @@ -1558,7 +1555,8 @@ it can have the following drawbacks: \end{figure} % Returning to the FMEA model, the data relationships shown in -figure~\ref{fig:component_fm_rel_ana} hold for the five variants of FMEA discussed. +figure~\ref{fig:component_fm_rel_ana} hold for the %five +variants of FMEA discussed. % This could be extended, if it is considered that the system level symptoms have subjective interpretations. @@ -1573,8 +1571,10 @@ These raise questions and are discussed below. For instance a given {\fm} will have its effect measured in relation to some of the components in the system. % -These components can be chosen by stipulating several criteria, -relating this to the signal path or adjacency in the electronic circuit, +% These components can be chosen by stipulating several criteria, +% relating this to the signal path or adjacency in the electronic circuit, +% potential strategies are listed below: +These components could be chosen by stipulating criteria relating to the signal path or adjacency in the electronic circuit, potential strategies are listed below: % \begin{itemize} @@ -1611,7 +1611,7 @@ However, %, as with the components that we should check against a {\fm}, %there are no guidelines for documenting the depth of description for reasoning stages in FMEA entries is in practise variable. %FMEA does not stipulat which -Ideally each FMEA entry would contain a reasoning description +Ideally each FMEA entry would contain a clear reasoning description for each {\fm}, so that the entry can be more easily reviewed or revisited/audited. % than a traditional FMEA report. % diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 68a59a7..64c723a 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -83,7 +83,7 @@ This means that there is one analysis case per component failure mode for all th This analysis philosophy has not changed since FMEA was first used. -\subsection{FMEA does not support Traceable Reasoning} +\subsection{FMEA does not encourage Traceable Reasoning} An FMEA report normally assigns one line of a spreadsheet to each {\bc} {\fm}. % @@ -109,7 +109,7 @@ structures that are repeated. % The failure mode behaviour of these repeated structures will be the same. % -However with the {\bc} {\fm} to system level failure mode mapping paradigm of FMEA +However due to the {\bc} {\fm} to system level failure mode mapping paradigm of FMEA, work is likely to be repeated. \subsection{FMEA does not support modularity.} @@ -308,7 +308,7 @@ For instance, an AVO-8 multi-meter circa 1970, uses only analogue electronics an using FMEA how component failures within it could affect readings. % A modern multi-meter will have a small dedicated micro-processor and sensing electronics, all on the same chip, -with firmware to read the user controls, and display results on an LCD. +with firmware to read the user controls, and display results. % on an LCD. % For quality control, many safety critical processes require regular inspections and measurements of physical characteristics of materials and machinery. diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 5b687e5..6011d48 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -88,7 +88,9 @@ with its own set of failure modes. % %This {\dc} has a set of failure modes: we can thus treat it as a `higher~level' component. % -Because a {\dc} has a set of failure modes we can use it in higher level {\fgs} +% Because a {\dc} has a set of failure modes we can use it in higher level {\fgs} +% which in turn produce higher level {\dcs}. +Because a {\dc} has a set of failure modes it can be used in higher level {\fgs} which in turn produce higher level {\dcs}. % These {\dcs} can be used to build further {\fgs} until a hierarchy of {\fgs} @@ -624,7 +626,7 @@ showing the choice of de-composition of the system into {\fgs} in figure~\ref{fi \includegraphics[width=300pt]{./CH4_FMMD/eulerfmmd.png} % eulerfmmd.png: 413x207 pixel, 72dpi, 14.57x7.30 cm, bb=0 0 413 207 \caption{FMMD analysis of the INVAMP represented as an Euler diagram, showing how -the components have been grouped into {\fgs} and then used as {\dcs} to build the analysis hierarchy.} +the components have been collected into {\fgs} and then used as {\dcs} to build the analysis hierarchy.} \label{fig:eulerfmmd} \end{figure} % @@ -707,7 +709,7 @@ as lowest level building blocks. In fact any lowest level building block with published failure modes could be considered to be a {\bc}, but this determination is the choice of the analyst, which may be influenced by the particular standard~\cite{en298}~\cite{en61508} %~\cite{en230} -to which the system is being approved/analyed. +to which the system is being approved/analysed. %a lowest level of assembly `part' or an atomic entity, which ever is the smaller %and component to mean either a part or a sub-assembly. @@ -797,7 +799,7 @@ the symptoms of failure of the {\fg} are the failure modes of this new `{\dc}'. An outline of the FMMD process is itemised below: \begin{itemize} \item Collect components to form a {\fg}, - \item Create failure cause `test~cases' for all failure modes of the components within the {\fg}, + \item Create `test~cases' for all failure modes of the components within the {\fg}, \item Analyse the effect of all the test~cases on the operation of the {\fg}, \item Determine the common failure modes of the {\fg}, \item Create and name a derived component for the {\fg}, @@ -808,7 +810,7 @@ An outline of the FMMD process is itemised below: \fmmdgloss \fmmdglossBC % -The FMMD process is described in using formal definitions and algorithms in section~\ref{sec:symptomabs}. +The FMMD process is described using formal definitions and algorithms in section~\ref{sec:symptomabs}. } %What components all have in common is that they can fail, and fail in a @@ -1113,7 +1115,7 @@ Thus, each possible cause for a system failure %{\fm} will have a collection of FMMD analysis reports associated with it. % These collections of analysis reports will provide a cause and effect -story for each possible scenario that could cause the system level failure. +story for each possible scenario that could lead to the system level failure. % Traceability of design processes are considered necessary for safety critical product~\cite{en61508} and is an important concept diff --git a/submission_thesis/CH5_Examples/circuit4004.png b/submission_thesis/CH5_Examples/circuit4004.png index 4dabff2..968cfb1 100644 Binary files a/submission_thesis/CH5_Examples/circuit4004.png and b/submission_thesis/CH5_Examples/circuit4004.png differ diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 8b42096..4faefcf 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -25,7 +25,8 @@ The two approaches, i.e. effects of choice of membership for {\fgs} are then dis \fmmdglossOPAMP \item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used to create a differencing amplifier. -Building on the two approaches from section~\ref{sec:invamp}, re-use of the non-inverting amplifier {\dc} from section~\ref{sec:invamp} +Building on the two approaches from section~\ref{sec:invamp}, re-use of the +non-inverting amplifier {\dc} from section~\ref{subsec:potdiv} % ~\ref{sec:invamp} %%%% 27SEP2013 is examined, where re-use is appropriate in the first stage and not in the second. @@ -439,9 +440,8 @@ electrically load the previous stage. Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers, this is a useful circuit wherever a high impedance differencing amplifier is required. % -This is a configuration that is commonly used in electronic circuits. -% -It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$. +This is a configuration that is commonly used in electronic circuits, +it would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$. % Identifying {\fgs} from the components in the circuit is the starting point for analysis. % @@ -525,8 +525,8 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$ is created. FMMD analysis is applied to this {\fg} in table~\ref{tbl:diffampfinal}. % \begin{table}[h+] -\label{tbl:diffampfinal} \caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table +\label{tbl:diffampfinal} % always put laels after captions in tables \centering % used for centering table \begin{tabular}{||l|c|c|l|l||} \hline \hline @@ -688,10 +688,10 @@ The first order low pass filter is analysed in table~\ref{tbl:firstorderlpass}.\ \textbf{cause} & \textbf{Low Pass Filter} & \\ \hline - FS1: R10 SHORT & $No Filtering$ & $LPallpass$ \\ \hline + FS1: R10 SHORT & $No Filtering$ & $LPnofilter$ \\ \hline FS2: R10 OPEN & $No Signal$ & $LPnosignal$ \\ \hline FS3: C10 SHORT & $No Signal$ & $LPnosignal$ \\ \hline - FS4: C10 OPEN & $No Filtering$ & $LPallpass$ \\ \hline + FS4: C10 OPEN & $No Filtering$ & $LPnofilter$ \\ \hline \hline @@ -742,7 +742,7 @@ from the $FirstOrderLP$ and the OpAmp component. TC2: $OPAMP$ LatchDown & Output Low & LP1Low \\ TC3: $OPAMP$ No Operation & Output Low & LP1Low \\ TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & LP1filterincorrect \\ \hline - TC5: $LPallpass $ & No low pass filtering & LP1filterincorrect \\ + TC5: $LPnofilter $ & No low pass filtering & LP1filterincorrect \\ TC6: $LPnosignal $ & No input signal & LP1nosignal \\ \hline \hline @@ -803,7 +803,7 @@ results re-used for the next stage of analysis (see figure~\ref{fig:circuit2002_ TC2: $OPAMP$ LatchDown & Output Low & SKLPLow \\ TC3: $OPAMP$ No Operation & Output Low & SKLPLow \\ TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & SKLPfilterIncorrect \\ \hline - TC5: R1 OPEN & No input signal & SKLPfilterIncorrect \\ + TC5: R1 OPEN & No input signal & SKLPnosignal \\ TC6: R1 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline TC7: R2 OPEN & No input signal & SKLPnosignal \\ @@ -1008,7 +1008,7 @@ These {\fgs} are used to describe the circuit in block diagram form with arrows \end{figure} Each of these {\fgs} are analysed to create failure mode models for them, and from these -determine {\dcs}. +{\dcs} determined. \subsection{Inverting Amplifier: INVAMP} % @@ -1038,7 +1038,7 @@ The {\fg} for the phase shifter consists of a resistor and a capacitor, $G_0 = \ (FMMD analysis details in appendix~\ref{detail:PHS45}), % % -$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} . $$ +$$ fm (PHS45) = \{ nosignal, 0\_phaseshift \} . $$ % \subsection{Non Inverting Buffer: NIBUFF.} % @@ -1212,7 +1212,7 @@ To complete the analysis we now bring the derived components $PHS135BUFFERED$ an and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator. % $$ -fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal .\} % LO_{fosc}, +fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal \} . % LO_{fosc}, $$ % % @@ -1251,7 +1251,7 @@ increases the potential for re-use. % of pre-analysed {\dcs}. % A finer grained model---with potentially more hierarchy stages---also means that %more work, or -more reasoning stages, i.e. FMMD analysis stages with their associated analysis reports, have been used in the analysis. +more reasoning stages, i.e. FMMD analysis stages with their associated analysis reports, have been created. % by the analysis. % HTR The more we can modularise, the more we decimate the $O(N^2)$ effect % HTR of complexity comparison. % @@ -1273,7 +1273,8 @@ The lower reasoning distances, or complexity comparison figures are given in the in section~\ref{sec:bubbaCC}. % This example demonstrates that the finer grained models -benefit from lower reasoning distances for the failure mode model. +benefit from lower reasoning distances to determine +the failure mode model. \clearpage @@ -1503,9 +1504,8 @@ These are: \begin{itemize} \item SUMJINT --- A summing junction and integrator, \item HISB --- A high impedance buffer, - \item DIGITALBUFF --- A one bit digital buffer, - \item DL2AL --- A digital to analog level converter, - \item DIGBUF --- A digital one bit buffer/memory. + \item DIGBUF --- A digital one bit buffer/memory, + \item DL2AL --- A digital to analog level converter. \end{itemize} % These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}. @@ -2094,9 +2094,9 @@ resistor tolerance must be considered. Assuming the load resistors are fairly typical in terms of precision; taking a worst case of 1\% either way: % -$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ +$$ 5V.\frac{2k2 \times 0.99}{2k2 \times 1.01+2k2 \times 0.99} = 2.475V $$ and -$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V \; . $$ +$$ 5V.\frac{2k2 \times 1.01}{2k2 \times 1.01+2k2 \times 0.99} = 2.525V \; . $$ % These readings both lie outside the proscribed ranges. Also the sense+ and sense- readings would have the same value. @@ -2187,7 +2187,7 @@ All the single failures have been analysed in the last section. %the failure modes, and then examine each one in detail with %potential divider equation proofs. % -Table \ref{tab:ptfmea2} lists all the combinations of double +Table \ref{tab:ptfmea2} lists all possible combinations of double faults as FMMD test cases. %and then hypothesises how the functional~group will react %under those conditions. diff --git a/submission_thesis/CH6_Software_Examples/software.tex b/submission_thesis/CH6_Software_Examples/software.tex index 0215feb..2884794 100644 --- a/submission_thesis/CH6_Software_Examples/software.tex +++ b/submission_thesis/CH6_Software_Examples/software.tex @@ -277,7 +277,7 @@ for the system to be operating correctly the voltage should be within the above For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used. % In 'C' a function is declared with parenthesis to -differentiate it from other type of variables (data types or pointers). +differentiate it from other types of variables (data types or pointers). % In this document this format is borrowed, hence the C~language function called `main' would be presented as \cf{main}. @@ -339,7 +339,14 @@ int read_4_20_input ( int * value ) { \end{verbatim} %} %}\clearpage - +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% HP48G program to verify scaling +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +% << -> t +% << t .88 - 4.4 .88 - / 999 * >> +% >> +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \caption{Software Function: \cf{read\_4\_20\_input}} \label{fig:code_read_4_20_input} %\label{fig:420i} @@ -888,7 +895,7 @@ the inputs and outputs of the associated software functions are also defined. % The Yourdon methodology thus allows the refinement and modelling of a process from a data~flow perspective -defining software functions in its final stage. +defining software functions in its final stage (see figure~\ref{fig:contextsoftware}). %, and %this in terms of software functions. % @@ -1043,8 +1050,8 @@ $$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLO \subsection{Temperature Controller Software Elements FMMD} Identified Software Components: \begin{itemize} - \item --- \cf{Monitor} (which calls PID algorithm and sets status LEDS), - \item --- \cf{PID} (which calls \cf{determine\_set\_point\_error} and \cf{output\_control}), + \item --- \cf{Monitor} (which calls \cf{PID},\cf{output\_control} and \cf{setLEDS}), + \item --- \cf{PID} (which calls \cf{determine\_set\_point\_error} ), \item --- \cf{determine\_set\_point\_error} (which calls \cf{convert\_ADC\_to\_T}), \item --- \cf{convert\_ADC\_to\_T} (which calls \cf{read\_ADC}), % which has been analysed as the {\dc} read\_ADC which can be re-used.} % from the last example), \item --- \cf{read\_ADC} (analysed in the previous section~\ref{sec:readadc}), @@ -1228,6 +1235,8 @@ apply the demanded power. A {\fg} with the Heating element, a PWM module and the \cf{output\_control} function is formed to model this branch of the efferent flow. % +This {\fg} is a hardware/software hybrid. +% FMMD analysis is applied to this {\fg} in table~\ref{tbl:heateroutput}. % For the \cf{output\_control} function, there is a pre-condition that the PWM module is @@ -1253,7 +1262,7 @@ adding a safety relay to cut the power to the heater). \centering \includegraphics[width=300pt]{./CH5_Examples/euler_heater_output.png} % euler_heater_output.png: 392x141 pixel, 72dpi, 13.83x4.97 cm, bb=0 0 392 141 - \caption{Euler diagram showing HeaterOutput with its two hardware components, PWM and HEATER, and its software component output\_control.} + \caption{Euler diagram showing HeaterOutput with its two hardware components, PWM and HEATER, and its software component \cf{output\_control}.} \label{fig:eulerheateroutput} \end{figure} % @@ -1350,7 +1359,7 @@ as an Euler diagram in figure~\ref{fig:euler_temp_controller}. \centering \includegraphics[width=400pt]{./CH5_Examples/euler_temp_controller.png} % euler_temp_controller.png: 714x251 pixel, 72dpi, 25.19x8.85 cm, bb=0 0 714 251 - \caption{Euler diagram of the temperature controller final analysis stage, showing the hybrid software/hardware {\dcs} and the function at the head of the call tree `monitor'.} + \caption{Euler diagram of the temperature controller final analysis stage, showing the hybrid software/hardware {\dcs} and the function at the head of the call tree \cf{monitor}.} \label{fig:euler_temp_controller} \end{figure} % diff --git a/submission_thesis/CH7_Evaluation/copy.tex b/submission_thesis/CH7_Evaluation/copy.tex index 51e59c5..2856916 100644 --- a/submission_thesis/CH7_Evaluation/copy.tex +++ b/submission_thesis/CH7_Evaluation/copy.tex @@ -154,7 +154,7 @@ $ | G | $. %, %\paragraph{Defining Components} $G$ is simply a sub-set of all possible components. % -The set of all components is $\mathcal{C}$; it can be can stated that is $G \subset \mathcal{C}$. +The set of all components is $\mathcal{C}$; it can be can stated that $G \subset \mathcal{C}$. % Individual components are denoted as $c$ with additional indexing where appropriate. @@ -228,7 +228,7 @@ An FMMD hierarchy consists of many {\fgs} which are subsets of $G$. FMMD analysis creates a hierarchy $\hh$ of {\fgs}. % where $\hh \subset \mathcal{FG}$. \fmmdgloss % -Individual {\fgs} can be defined using with an index +Individual {\fgs} can be defined using an index $i$ for identification and a superscript for the $\alpha$~level i.e. $FG^{\alpha}_{i}$ (see section~\ref{sec:alpha}). % %--- @@ -257,7 +257,7 @@ An FMMD hierarchy will have reducing numbers of {\fgs} as the hierarchy is trave In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to all {\fgs} on each level. % -An FMMD hierarchy defined as a set of {\fgs}, $\hh$. +An FMMD hierarchy is defined as a set of {\fgs}, $\hh$. % We define a helper function $g$ with a domain of the level $Level$ in an FMMD hierarchy $\hh$, and a % co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), % that returns @@ -292,8 +292,8 @@ The comparison complexity function $CC$ is overloaded, to obtain the comparison \label{sec:theoreticalperfmodel} \fmmdglossRD %\pagebreak[4] -The amplifier example from chapter~\ref{sec:chap4}, which has two -stages, the potential divider and then the amplifier, is chosen as an example for comparison complexity. +The $NONINVAMP$ example from chapter~\ref{sec:chap4}, which has two +analysis stages, the potential divider and then the amplifier, is chosen as an example for comparison complexity. % The complexities are added from both these stages to determine how many reasoning paths there were to perform FMMD analysis on the @@ -313,7 +313,7 @@ number of reasoning paths to analyse the amplifier using FMMD. % The potential divider has a {\cc} of four and the amplifier section a {\cc} of six. % -To analyse the inverting amplifier with FMMD it required 10 reasoning stages. +To analyse the inverting amplifier with FMMD a {\cc} of 10 was required. % Using traditional FMEA employing exhaustive checking ({\XFMEA}) $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1) = 16$ was obtained. @@ -549,10 +549,10 @@ All the FMMD examples in chapters \ref{sec:chap5} and \ref{sec:chap6} showed a marked reduction in comparison complexity compared to {\XFMEA}. % worst case figures. % -To calculate {\XFMEA} comparison complexity equation~\ref{eqn:CC} is used. +To calculate {\XFMEA} the comparison complexity equation~\ref{eqn:CC} is used. % % -Complexity comparison vs. {\XFMEA} for the first three examples +Complexity comparison for FMMD vs. {\XFMEA} for the first three examples in chapter~\ref{sec:chap5} are presented in the following table~\ref{tbl:firstcc}. % %\usepackage{multirow} @@ -973,7 +973,7 @@ is no fault active in the functional~group under analysis.} and S itself. % The power-set concept is augmented here to deal with counting the number of -combinations of failures to consider, under the conditions of simultaneous failures. +combinations of failures to consider under the conditions of simultaneous failures. % In order to consider combinations for the set S where the number of elements in each subset of S is $N$ or less, a concept of the `cardinality constrained power-set' @@ -1018,11 +1018,8 @@ C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} . \end{equation} % To find the number of elements in a cardinality constrained subset S with up to $cc$ elements -in each combination sub-set, -sum the combinations must be added, -%subtracting $cc$ from the final result -%(repeated empty set counts) -from $1$ to $cc$ thus +in each combination sub-set, the sum of combinations must be added, +from $1$ to $cc$ thus: % % % $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ @@ -1531,7 +1528,7 @@ in the power-supply {\fg}. %this raises another issue for FMMD. % A de-coupling capacitor going $OPEN$ might not be considered relevant to -a power-supply module (but there might be additional noise on its output rails). +a power-supply module (even though there might be additional noise on its output rails). % But in {\fg} terms, the power supply now has a new symptom, that of $INTERFERENCE$. % diff --git a/submission_thesis/appendixes/detailed_analysis.tex b/submission_thesis/appendixes/detailed_analysis.tex index b379f8d..415cc36 100644 --- a/submission_thesis/appendixes/detailed_analysis.tex +++ b/submission_thesis/appendixes/detailed_analysis.tex @@ -309,7 +309,7 @@ This section of the appendix contains FMEA tables for the {\sd}. FS5: $IC1$ $HIGH$ & & output perm. high & & HIGH \\ FS6: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline FS7: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\ - FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ \hline + FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ FS9: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\ FS10: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline @@ -497,7 +497,7 @@ $$ %\hline FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\ FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ - FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ \hline + FS5: $DL2AL$ $LOW\_SLEW$ & & slow reaction to input & & $LOW\_SLEW$ \\ \hline \hline @@ -584,7 +584,7 @@ FMMD analysis tables from chapter~\ref{sec:chap6}. - FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ + FC3: $RADC_{HIGH}$ & voltage value & $VOLTAGE\_HIGH$ \\ & incorrect & \\ \hline @@ -681,7 +681,7 @@ $$ The error value being discussed here is an important concept in PID control. It represents how far from the control target -the measured reading of it is. +the measured reading is. The lower the PID error value the closer to the controlled systems target/desired value. { diff --git a/submission_thesis/colophon/copy.tex b/submission_thesis/colophon/copy.tex index b849e3b..fb84f74 100644 --- a/submission_thesis/colophon/copy.tex +++ b/submission_thesis/colophon/copy.tex @@ -57,7 +57,7 @@ Further I thank her for encouraging me to apply for the PhD. %% PITY SHE DID NOT % I am deeply thankful to the directors of {\etc} not only for funding this course, but providing training and work experience in the -field of safety critical engineering, and giving me Friday +field of safety critical engineering and giving me Friday afternoons to pursue my studies. % At Energy~Technology~Control, the following people gave encouragement, and