robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wow in just before midnight.

Browse Source
This commit is contained in:
Robin P. Clark 2013-09-27 23:58:19 +01:00
parent 7a0e13963f
commit 6b1d384029
10 changed files with 89 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
submission_thesis/CH1_introduction/copy.tex
View File

@ -102,7 +102,7 @@ In chapter~\ref{sec:chap4}, a new methodology is proposed which addresses the st
and using contract programmed software, allows the modelling of integrated and using contract programmed software, allows the modelling of integrated
software/electrical systems. software/electrical systems.
% %
This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition FMMD) This is followed by two chapters showing examples of the new modular FMEA analysis technique (Failure Mode Modular De-Composition, FMMD)
firstly looking at a variety of common electronic circuits and then at electronic/software hybrid systems. firstly looking at a variety of common electronic circuits and then at electronic/software hybrid systems.
} }
@ -136,7 +136,7 @@ industrial burners---the design team was faced with a new and daunting requireme
Conformance to the latest European standard, EN298~\cite{en298}. Conformance to the latest European standard, EN298~\cite{en298}.
% %
It appeared to ask for the impossible: It appeared to ask for the impossible:
not only did it require the usual safety measures (self-checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the not only did it require the usual safety measures (self-checking of ROM and RAM, watchdog processors with separate clock sources, EMC testing and the
triple fail safe control of valves), it had one new clause in it that had far reaching consequences. triple fail safe control of valves), it had one new clause in it that had far reaching consequences.
% %
It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller
@ -168,8 +168,8 @@ analysis of identical circuitry was performed many times.
\subsection{Modularising/De-Composing FMEA: Initial concepts.} % and augmenting this with concepts from Euler/Spider Diagrams.} \subsection{Modularising/De-Composing FMEA: Initial concepts.} % and augmenting this with concepts from Euler/Spider Diagrams.}
% %
In the field of digital signal processing there is an algorithm that revolutionised In the field of digital signal processing there is an algorithm that revolutionised
access to frequency analysis of digital samples called the Fast Fourier transform (FFT)~\cite{fftoriginal}. access to frequency analysis of digital samples called the Fast Fourier Transform (FFT)~\cite{fftoriginal}.
This took the discrete Fourier transform (DFT), and applied de-composition to its This took the Discrete Fourier Transform (DFT), and applied de-composition to its
mesh of (often repeated) complex number calculations~\cite{fpodsadsp}[Ch.8]. mesh of (often repeated) complex number calculations~\cite{fpodsadsp}[Ch.8].
% %
By doing this it broke the computing order of complexity down from having a polynomial %n exponential By doing this it broke the computing order of complexity down from having a polynomial %n exponential

42
submission_thesis/CH2_FMEA/copy.tex
View File

@ -98,7 +98,7 @@ These are termed `{\bcs}'; they are considered ``atomic'' i.e. they are not brok
% %
The first requirement for a {\bc} is to define the ways in which it can fail, The first requirement for a {\bc} is to define the ways in which it can fail,
this relationship %between a {\bc} and its failure modes, this relationship %between a {\bc} and its failure modes,
is shown in figure~\ref{fig:component_fm_rel}. is shown, using UML, in figure~\ref{fig:component_fm_rel}.
\fmmdglossBC \fmmdglossBC
%DIAGRAM of Base components and failure modes %DIAGRAM of Base components and failure modes
@ -106,7 +106,7 @@ is shown in figure~\ref{fig:component_fm_rel}.
\centering \centering
\includegraphics[width=300pt]{./CH2_FMEA/component_fm_rel.png} \includegraphics[width=300pt]{./CH2_FMEA/component_fm_rel.png}
% component_fm_rel.png: 368x71 pixel, 72dpi, 12.98x2.50 cm, bb=0 0 368 71 % component_fm_rel.png: 368x71 pixel, 72dpi, 12.98x2.50 cm, bb=0 0 368 71
\caption{Base Component to Failure Modes relationship} \caption{Base Component to Failure Modes relationship UML diagram}
\label{fig:component_fm_rel} \label{fig:component_fm_rel}
\end{figure} \end{figure}
@ -306,7 +306,7 @@ as listed below:
% %
Note, that the main cause of resistor value drift is overloading. % of components. Note, that the main cause of resistor value drift is overloading. % of components.
This is borne out in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure This is borne out in the FMD-91~\cite{fmd91} entry for a resistor network where the failure
modes do not include drift. modes do not include drift.
% %
If it is ensured that resistors will not be exposed to overload conditions, the If it is ensured that resistors will not be exposed to overload conditions, the
@ -392,7 +392,7 @@ has an entry specific to operational amplifiers (FMD-91).
EN298 does not specifically define the EN298 does not specifically define the
{\fms} of op-amps but {\fms} of op-amps but
instead has a procedure for determining the {\fms} of instead has a procedure for determining the {\fms} of
components types not specifically listed in it. components types not specifically listed. %in it.
% %
Operational amplifiers are typically packaged in dual or quad configurations---meaning Operational amplifiers are typically packaged in dual or quad configurations---meaning
that a chip will typically contain two or four amplifiers. that a chip will typically contain two or four amplifiers.
@ -479,7 +479,7 @@ are examined and from this its {\fms} are determined.
% that we got from FMD-91, listed in equation~\ref{eqn:opampfms}, except for % that we got from FMD-91, listed in equation~\ref{eqn:opampfms}, except for
% $LOW\_SLEW$. % $LOW\_SLEW$.
% %
Collating the op-amp failure modes from table ~\ref{tbl:lm358} the same {\fms} Collating the op-amp failure modes from table ~\ref{tbl:lm358}, the same {\fms}
from FMD-91 are obtained---listed in equation~\ref{eqn:opampfms}---except for from FMD-91 are obtained---listed in equation~\ref{eqn:opampfms}---except for
$LOW\_SLEW$. $LOW\_SLEW$.
\fmmdglossOPAMP \fmmdglossOPAMP
@ -621,10 +621,7 @@ it and choosing the resistor R1 in the OP-AMP gain circuitry:
% \includegraphics[width=175pt]{./mvamp.png} % \includegraphics[width=175pt]{./mvamp.png}
% % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403 % % mvamp.png: 561x403 pixel, 72dpi, 19.79x14.22 cm, bb=0 0 561 403
% \end{figure} % \end{figure}
%\paragraph{FMEA Example: Milli-volt reader}
\paragraph{FMEA Example: Milli-volt reader}
% \begin{figure} % \begin{figure}
% \centering % \centering
% \includegraphics[width=80pt]{./mvamp.png} % \includegraphics[width=80pt]{./mvamp.png}
@ -733,7 +730,7 @@ the circuit behaviour is measured in finer granularity,
until a faulty component or module~\cite{garrett} is identified. until a faulty component or module~\cite{garrett} is identified.
% %
With this style of fault finding, because it is based on experiment, With this style of fault finding, because it is based on experiment,
hopping from module to module eliminating working ones, until hopping from module to module eliminating working ones, until a
failure is found~\cite{maikowski}, is efficient in terms of failure is found~\cite{maikowski}, is efficient in terms of
concentrating effort. concentrating effort.
% %
@ -747,7 +744,7 @@ FMEA is a theoretical discipline. %AF does not like this!
It would be very unusual to build a circuit and then simulate It would be very unusual to build a circuit and then simulate
component failure modes. component failure modes.
% %
This would be time consuming as it would involve building a circuit for each component {\fm} in This would be time consuming as it would involve altering/building a circuit for each component {\fm} in
the system\footnote{Building circuit simulations and simulating component failure modes the system\footnote{Building circuit simulations and simulating component failure modes
would be a very time consuming process and might only be performed as a final-stage of accident investigation, where the cause is would be a very time consuming process and might only be performed as a final-stage of accident investigation, where the cause is
required to be proven.}. required to be proven.}.
@ -803,7 +800,7 @@ at mapping potential single component failures to system level faults/events.
The concept of the unacceptability of a single component failure causing a system failure % catastrophe, The concept of the unacceptability of a single component failure causing a system failure % catastrophe,
is an important and easily understood measurement of safety. is an important and easily understood measurement of safety.
% %
They are easy to calculate Statistics for single failures are easy to calculate
because Mean Time to Failure (MTTF) statistics~\cite{fmd91,mil1991} for commonly used components can be found. because Mean Time to Failure (MTTF) statistics~\cite{fmd91,mil1991} for commonly used components can be found.
% %
Also, used in the design phase of a project, FMEA is a useful tool Also, used in the design phase of a project, FMEA is a useful tool
@ -1389,7 +1386,7 @@ are actually met for given SIL levels is currently almost impossible~\cite{silsa
\item \textbf{Safe or Dangerous.} Failure modes are classified SAFE or DANGEROUS. \item \textbf{Safe or Dangerous.} Failure modes are classified SAFE or DANGEROUS.
\item \textbf{Detectable failure modes.} Failure modes are given the attribute DETECTABLE or UNDETECTABLE. \item \textbf{Detectable failure modes.} Failure modes are given the attribute DETECTABLE or UNDETECTABLE.
\item \textbf{Four attributes for FMEDA Failure Modes.} All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU) \item \textbf{Four attributes for FMEDA Failure Modes.} All failure modes may thus be Safe Detected(SD), Safe Undetected(SU), Dangerous Detected(DD), Dangerous Undetected(DU)
\item \textbf{Four statistical properties of a system.} the statistics for the four classifications of system failures are summed: \\ \item \textbf{Four statistical properties of a system.} The statistics for the four classifications of system failures are summed: \\
$ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$. \\ $ \sum \lambda_{SD}$, $\sum \lambda_{SU}$, $\sum \lambda_{DD}$, $\sum \lambda_{DU}$. \\
\end{itemize} \end{itemize}
@ -1461,7 +1458,7 @@ by statistically determining how frequently it can fail dangerously.
% %
\label{sec:asil} \label{sec:asil}
% %
The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as the Automotive SIL (ASIL)~\cite{Kafka20122}. The EN61508 variant for automotive use, as defined in standard ISO~26262, is known as Automotive SIL (ASIL)~\cite{Kafka20122}.
% %
Safety instrumented functions (SIFs) for vehicles are assigned ASIL ratings. Safety instrumented functions (SIFs) for vehicles are assigned ASIL ratings.
% %
@ -1490,7 +1487,7 @@ have independent failure causes and implement redundancy. % for the SIF.
% %
This is in effect a top down de-composition of safety requirements. This is in effect a top down de-composition of safety requirements.
% %
This is rather like the demand for multiple engines on an aircraft This is rather like the demand for multiple engines on aircraft
that must make a long journeys over the sea to statistically limit that must make a long journeys over the sea to statistically limit
the likelihood of one failure cause --- i.e. one engine failure --- causing a serious incident. the likelihood of one failure cause --- i.e. one engine failure --- causing a serious incident.
% %
@ -1526,7 +1523,7 @@ This could be considered as a design check method, deliberately
looking for weaknesses at a theoretical level. looking for weaknesses at a theoretical level.
% %
Because design FMEA meetings can have the format of a meeting and discussion Because design FMEA meetings can have the format of a meeting and discussion
it can have the following drawbacks: they can have the following drawbacks:
%\subsection{DESIGN FMEA: Safety Critical Approvals FMEA} %\subsection{DESIGN FMEA: Safety Critical Approvals FMEA}
% %
% \begin{figure}[h] % \begin{figure}[h]
@ -1540,7 +1537,7 @@ it can have the following drawbacks:
\begin{itemize} \begin{itemize}
\item Impossible to look at all component failures let alone apply FMEA exhaustively/rigorously, \item Impossible to look at all component failures let alone apply FMEA exhaustively/rigorously,
\item In practice, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented, \item In practice, failure scenarios for critical sections are contested, and either justified or extra safety measures implemented,
\item Often meeting notes or minutes only: unusual for detailed technical arguments to be documented. \item Often meeting notes or minutes only: it is unusual for detailed technical arguments to be documented.
\end{itemize} \end{itemize}
% %
% %
@ -1558,7 +1555,8 @@ it can have the following drawbacks:
\end{figure} \end{figure}
% %
Returning to the FMEA model, the data relationships shown in Returning to the FMEA model, the data relationships shown in
figure~\ref{fig:component_fm_rel_ana} hold for the five variants of FMEA discussed. figure~\ref{fig:component_fm_rel_ana} hold for the %five
variants of FMEA discussed.
% %
This could be extended, if it is considered that the system level symptoms have subjective This could be extended, if it is considered that the system level symptoms have subjective
interpretations. interpretations.
@ -1573,8 +1571,10 @@ These raise questions and are discussed below.
For instance a given {\fm} will have its effect measured in relation For instance a given {\fm} will have its effect measured in relation
to some of the components in the system. to some of the components in the system.
% %
These components can be chosen by stipulating several criteria, % These components can be chosen by stipulating several criteria,
relating this to the signal path or adjacency in the electronic circuit, % relating this to the signal path or adjacency in the electronic circuit,
% potential strategies are listed below:
These components could be chosen by stipulating criteria relating to the signal path or adjacency in the electronic circuit,
potential strategies are listed below: potential strategies are listed below:
% %
\begin{itemize} \begin{itemize}
@ -1611,7 +1611,7 @@ However, %, as with the components that we should check against a {\fm},
%there are no guidelines for documenting %there are no guidelines for documenting
the depth of description for reasoning stages in FMEA entries is in practise variable. the depth of description for reasoning stages in FMEA entries is in practise variable.
%FMEA does not stipulat which %FMEA does not stipulat which
Ideally each FMEA entry would contain a reasoning description Ideally each FMEA entry would contain a clear reasoning description
for each {\fm}, for each {\fm},
so that the entry can be more easily reviewed or revisited/audited. % than a traditional FMEA report. so that the entry can be more easily reviewed or revisited/audited. % than a traditional FMEA report.
% %

6
submission_thesis/CH3_FMEA_criticism/copy.tex
View File

@ -83,7 +83,7 @@ This means that there is one analysis case per component failure mode for all th
This analysis philosophy has not changed since FMEA was first used. This analysis philosophy has not changed since FMEA was first used.
\subsection{FMEA does not support Traceable Reasoning} \subsection{FMEA does not encourage Traceable Reasoning}
An FMEA report normally assigns one line of a spreadsheet to An FMEA report normally assigns one line of a spreadsheet to
each {\bc} {\fm}. each {\bc} {\fm}.
% %
@ -109,7 +109,7 @@ structures that are repeated.
% %
The failure mode behaviour of these repeated structures will be the same. The failure mode behaviour of these repeated structures will be the same.
% %
However with the {\bc} {\fm} to system level failure mode mapping paradigm of FMEA However due to the {\bc} {\fm} to system level failure mode mapping paradigm of FMEA,
work is likely to be repeated. work is likely to be repeated.
\subsection{FMEA does not support modularity.} \subsection{FMEA does not support modularity.}
@ -308,7 +308,7 @@ For instance, an AVO-8 multi-meter circa 1970, uses only analogue electronics an
using FMEA how component failures within it could affect readings. using FMEA how component failures within it could affect readings.
% %
A modern multi-meter will have a small dedicated micro-processor and sensing electronics, all on the same chip, A modern multi-meter will have a small dedicated micro-processor and sensing electronics, all on the same chip,
with firmware to read the user controls, and display results on an LCD. with firmware to read the user controls, and display results. % on an LCD.
% %
For quality control, many safety critical processes require regular inspections For quality control, many safety critical processes require regular inspections
and measurements of physical characteristics of materials and machinery. and measurements of physical characteristics of materials and machinery.

14
submission_thesis/CH4_FMMD/copy.tex
View File

@ -88,7 +88,9 @@ with its own set of failure modes.
% %
%This {\dc} has a set of failure modes: we can thus treat it as a `higher~level' component. %This {\dc} has a set of failure modes: we can thus treat it as a `higher~level' component.
% %
Because a {\dc} has a set of failure modes we can use it in higher level {\fgs} % Because a {\dc} has a set of failure modes we can use it in higher level {\fgs}
% which in turn produce higher level {\dcs}.
Because a {\dc} has a set of failure modes it can be used in higher level {\fgs}
which in turn produce higher level {\dcs}. which in turn produce higher level {\dcs}.
% %
These {\dcs} can be used to build further {\fgs} until a hierarchy of {\fgs} These {\dcs} can be used to build further {\fgs} until a hierarchy of {\fgs}
@ -624,7 +626,7 @@ showing the choice of de-composition of the system into {\fgs} in figure~\ref{fi
\includegraphics[width=300pt]{./CH4_FMMD/eulerfmmd.png} \includegraphics[width=300pt]{./CH4_FMMD/eulerfmmd.png}
% eulerfmmd.png: 413x207 pixel, 72dpi, 14.57x7.30 cm, bb=0 0 413 207 % eulerfmmd.png: 413x207 pixel, 72dpi, 14.57x7.30 cm, bb=0 0 413 207
\caption{FMMD analysis of the INVAMP represented as an Euler diagram, showing how \caption{FMMD analysis of the INVAMP represented as an Euler diagram, showing how
the components have been grouped into {\fgs} and then used as {\dcs} to build the analysis hierarchy.} the components have been collected into {\fgs} and then used as {\dcs} to build the analysis hierarchy.}
\label{fig:eulerfmmd} \label{fig:eulerfmmd}
\end{figure} \end{figure}
% %
@ -707,7 +709,7 @@ as lowest level building blocks.
In fact any lowest level building block with published failure modes could be considered to be a {\bc}, In fact any lowest level building block with published failure modes could be considered to be a {\bc},
but this determination is the choice of the analyst, which may be influenced by the particular but this determination is the choice of the analyst, which may be influenced by the particular
standard~\cite{en298}~\cite{en61508} %~\cite{en230} standard~\cite{en298}~\cite{en61508} %~\cite{en230}
to which the system is being approved/analyed. to which the system is being approved/analysed.
%a lowest level of assembly `part' or an atomic entity, which ever is the smaller %a lowest level of assembly `part' or an atomic entity, which ever is the smaller
%and component to mean either a part or a sub-assembly. %and component to mean either a part or a sub-assembly.
@ -797,7 +799,7 @@ the symptoms of failure of the {\fg} are the failure modes of this new `{\dc}'.
An outline of the FMMD process is itemised below: An outline of the FMMD process is itemised below:
\begin{itemize} \begin{itemize}
\item Collect components to form a {\fg}, \item Collect components to form a {\fg},
\item Create failure cause `test~cases' for all failure modes of the components within the {\fg}, \item Create `test~cases' for all failure modes of the components within the {\fg},
\item Analyse the effect of all the test~cases on the operation of the {\fg}, \item Analyse the effect of all the test~cases on the operation of the {\fg},
\item Determine the common failure modes of the {\fg}, \item Determine the common failure modes of the {\fg},
\item Create and name a derived component for the {\fg}, \item Create and name a derived component for the {\fg},
@ -808,7 +810,7 @@ An outline of the FMMD process is itemised below:
\fmmdgloss \fmmdgloss
\fmmdglossBC \fmmdglossBC
% %
The FMMD process is described in using formal definitions and algorithms in section~\ref{sec:symptomabs}. The FMMD process is described using formal definitions and algorithms in section~\ref{sec:symptomabs}.
} }
%What components all have in common is that they can fail, and fail in a %What components all have in common is that they can fail, and fail in a
@ -1113,7 +1115,7 @@ Thus, each possible cause for a system failure %{\fm}
will have a collection of FMMD analysis reports associated with it. will have a collection of FMMD analysis reports associated with it.
% %
These collections of analysis reports will provide a cause and effect These collections of analysis reports will provide a cause and effect
story for each possible scenario that could cause the system level failure. story for each possible scenario that could lead to the system level failure.
% %
Traceability of design processes are considered necessary for Traceability of design processes are considered necessary for
safety critical product~\cite{en61508} and is an important concept safety critical product~\cite{en61508} and is an important concept

BIN
submission_thesis/CH5_Examples/circuit4004.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 18 KiB

40
submission_thesis/CH5_Examples/copy.tex
View File

@ -25,7 +25,8 @@ The two approaches, i.e. effects of choice of membership for {\fgs} are then dis
\fmmdglossOPAMP \fmmdglossOPAMP
\item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used \item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used
to create a differencing amplifier. to create a differencing amplifier.
Building on the two approaches from section~\ref{sec:invamp}, re-use of the non-inverting amplifier {\dc} from section~\ref{sec:invamp} Building on the two approaches from section~\ref{sec:invamp}, re-use of the
non-inverting amplifier {\dc} from section~\ref{subsec:potdiv} % ~\ref{sec:invamp} %%%% 27SEP2013
is examined, is examined,
where re-use is appropriate in the first stage and where re-use is appropriate in the first stage and
not in the second. not in the second.
@ -439,9 +440,8 @@ electrically load the previous stage.
Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers, Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers,
this is a useful circuit wherever a high impedance differencing amplifier is required. this is a useful circuit wherever a high impedance differencing amplifier is required.
% %
This is a configuration that is commonly used in electronic circuits. This is a configuration that is commonly used in electronic circuits,
% it would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
% %
Identifying {\fgs} from the components in the circuit is the starting point for analysis. Identifying {\fgs} from the components in the circuit is the starting point for analysis.
% %
@ -525,8 +525,8 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$ is created.
FMMD analysis is applied to this {\fg} in table~\ref{tbl:diffampfinal}. FMMD analysis is applied to this {\fg} in table~\ref{tbl:diffampfinal}.
% %
\begin{table}[h+] \begin{table}[h+]
\label{tbl:diffampfinal}
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table \caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:diffampfinal} % always put laels after captions in tables
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|c|c|l|l||} \begin{tabular}{||l|c|c|l|l||}
\hline \hline \hline \hline
@ -688,10 +688,10 @@ The first order low pass filter is analysed in table~\ref{tbl:firstorderlpass}.\
\textbf{cause} & \textbf{Low Pass Filter} & \\ \textbf{cause} & \textbf{Low Pass Filter} & \\
\hline \hline
FS1: R10 SHORT & $No Filtering$ & $LPallpass$ \\ \hline FS1: R10 SHORT & $No Filtering$ & $LPnofilter$ \\ \hline
FS2: R10 OPEN & $No Signal$ & $LPnosignal$ \\ \hline FS2: R10 OPEN & $No Signal$ & $LPnosignal$ \\ \hline
FS3: C10 SHORT & $No Signal$ & $LPnosignal$ \\ \hline FS3: C10 SHORT & $No Signal$ & $LPnosignal$ \\ \hline
FS4: C10 OPEN & $No Filtering$ & $LPallpass$ \\ \hline FS4: C10 OPEN & $No Filtering$ & $LPnofilter$ \\ \hline
\hline \hline
@ -742,7 +742,7 @@ from the $FirstOrderLP$ and the OpAmp component.
TC2: $OPAMP$ LatchDown & Output Low & LP1Low \\ TC2: $OPAMP$ LatchDown & Output Low & LP1Low \\
TC3: $OPAMP$ No Operation & Output Low & LP1Low \\ TC3: $OPAMP$ No Operation & Output Low & LP1Low \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & LP1filterincorrect \\ \hline TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & LP1filterincorrect \\ \hline
TC5: $LPallpass $ & No low pass filtering & LP1filterincorrect \\ TC5: $LPnofilter $ & No low pass filtering & LP1filterincorrect \\
TC6: $LPnosignal $ & No input signal & LP1nosignal \\ \hline TC6: $LPnosignal $ & No input signal & LP1nosignal \\ \hline
\hline \hline
@ -803,7 +803,7 @@ results re-used for the next stage of analysis (see figure~\ref{fig:circuit2002_
TC2: $OPAMP$ LatchDown & Output Low & SKLPLow \\ TC2: $OPAMP$ LatchDown & Output Low & SKLPLow \\
TC3: $OPAMP$ No Operation & Output Low & SKLPLow \\ TC3: $OPAMP$ No Operation & Output Low & SKLPLow \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & SKLPfilterIncorrect \\ \hline TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & SKLPfilterIncorrect \\ \hline
TC5: R1 OPEN & No input signal & SKLPfilterIncorrect \\ TC5: R1 OPEN & No input signal & SKLPnosignal \\
TC6: R1 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline TC6: R1 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC7: R2 OPEN & No input signal & SKLPnosignal \\ TC7: R2 OPEN & No input signal & SKLPnosignal \\
@ -1008,7 +1008,7 @@ These {\fgs} are used to describe the circuit in block diagram form with arrows
\end{figure} \end{figure}
Each of these {\fgs} are analysed to create failure mode models for them, and from these Each of these {\fgs} are analysed to create failure mode models for them, and from these
determine {\dcs}. {\dcs} determined.
\subsection{Inverting Amplifier: INVAMP} \subsection{Inverting Amplifier: INVAMP}
% %
@ -1038,7 +1038,7 @@ The {\fg} for the phase shifter consists of a resistor and a capacitor, $G_0 = \
(FMMD analysis details in appendix~\ref{detail:PHS45}), (FMMD analysis details in appendix~\ref{detail:PHS45}),
% %
% %
$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} . $$ $$ fm (PHS45) = \{ nosignal, 0\_phaseshift \} . $$
% %
\subsection{Non Inverting Buffer: NIBUFF.} \subsection{Non Inverting Buffer: NIBUFF.}
% %
@ -1212,7 +1212,7 @@ To complete the analysis we now bring the derived components $PHS135BUFFERED$ an
and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator. and perform FMEA with these (see appendix~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator.
% %
$$ $$
fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal .\} % LO_{fosc}, fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal \} . % LO_{fosc},
$$ $$
% %
% %
@ -1251,7 +1251,7 @@ increases the potential for re-use. % of pre-analysed {\dcs}.
% %
A finer grained model---with potentially more hierarchy stages---also means that A finer grained model---with potentially more hierarchy stages---also means that
%more work, or %more work, or
more reasoning stages, i.e. FMMD analysis stages with their associated analysis reports, have been used in the analysis. more reasoning stages, i.e. FMMD analysis stages with their associated analysis reports, have been created. % by the analysis.
% HTR The more we can modularise, the more we decimate the $O(N^2)$ effect % HTR The more we can modularise, the more we decimate the $O(N^2)$ effect
% HTR of complexity comparison. % HTR of complexity comparison.
% %
@ -1273,7 +1273,8 @@ The lower reasoning distances, or complexity comparison figures are given in the
in section~\ref{sec:bubbaCC}. in section~\ref{sec:bubbaCC}.
% %
This example demonstrates that the finer grained models This example demonstrates that the finer grained models
benefit from lower reasoning distances for the failure mode model. benefit from lower reasoning distances to determine
the failure mode model.
\clearpage \clearpage
@ -1503,9 +1504,8 @@ These are:
\begin{itemize} \begin{itemize}
\item SUMJINT --- A summing junction and integrator, \item SUMJINT --- A summing junction and integrator,
\item HISB --- A high impedance buffer, \item HISB --- A high impedance buffer,
\item DIGITALBUFF --- A one bit digital buffer, \item DIGBUF --- A digital one bit buffer/memory,
\item DL2AL --- A digital to analog level converter, \item DL2AL --- A digital to analog level converter.
\item DIGBUF --- A digital one bit buffer/memory.
\end{itemize} \end{itemize}
% %
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}. These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
@ -2094,9 +2094,9 @@ resistor tolerance must be considered.
Assuming the load resistors are fairly typical in terms of precision; Assuming the load resistors are fairly typical in terms of precision;
taking a worst case of 1\% either way: taking a worst case of 1\% either way:
% %
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ $$ 5V.\frac{2k2 \times 0.99}{2k2 \times 1.01+2k2 \times 0.99} = 2.475V $$
and and
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V \; . $$ $$ 5V.\frac{2k2 \times 1.01}{2k2 \times 1.01+2k2 \times 0.99} = 2.525V \; . $$
% %
These readings both lie outside the proscribed ranges. These readings both lie outside the proscribed ranges.
Also the sense+ and sense- readings would have the same value. Also the sense+ and sense- readings would have the same value.
@ -2187,7 +2187,7 @@ All the single failures have been analysed in the last section.
%the failure modes, and then examine each one in detail with %the failure modes, and then examine each one in detail with
%potential divider equation proofs. %potential divider equation proofs.
% %
Table \ref{tab:ptfmea2} lists all the combinations of double Table \ref{tab:ptfmea2} lists all possible combinations of double
faults as FMMD test cases. faults as FMMD test cases.
%and then hypothesises how the functional~group will react %and then hypothesises how the functional~group will react
%under those conditions. %under those conditions.

23
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -277,7 +277,7 @@ for the system to be operating correctly the voltage should be within the above
For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used. For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used.
% %
In 'C' a function is declared with parenthesis to In 'C' a function is declared with parenthesis to
differentiate it from other type of variables (data types or pointers). differentiate it from other types of variables (data types or pointers).
% %
In this document this format is borrowed, hence the C~language In this document this format is borrowed, hence the C~language
function called `main' would be presented as \cf{main}. function called `main' would be presented as \cf{main}.
@ -339,7 +339,14 @@ int read_4_20_input ( int * value ) {
\end{verbatim} \end{verbatim}
%} %}
%}\clearpage %}\clearpage
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% HP48G program to verify scaling
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% << -> t
% << t .88 - 4.4 .88 - / 999 * >>
% >>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\caption{Software Function: \cf{read\_4\_20\_input}} \caption{Software Function: \cf{read\_4\_20\_input}}
\label{fig:code_read_4_20_input} \label{fig:code_read_4_20_input}
%\label{fig:420i} %\label{fig:420i}
@ -888,7 +895,7 @@ the inputs and outputs of the associated software functions are also defined.
% %
The Yourdon methodology thus allows the refinement and modelling The Yourdon methodology thus allows the refinement and modelling
of a process from a data~flow perspective of a process from a data~flow perspective
defining software functions in its final stage. defining software functions in its final stage (see figure~\ref{fig:contextsoftware}).
%, and %, and
%this in terms of software functions. %this in terms of software functions.
% %
@ -1043,8 +1050,8 @@ $$fm (micro-controller) =\{ PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLO
\subsection{Temperature Controller Software Elements FMMD} \subsection{Temperature Controller Software Elements FMMD}
Identified Software Components: Identified Software Components:
\begin{itemize} \begin{itemize}
\item --- \cf{Monitor} (which calls PID algorithm and sets status LEDS), \item --- \cf{Monitor} (which calls \cf{PID},\cf{output\_control} and \cf{setLEDS}),
\item --- \cf{PID} (which calls \cf{determine\_set\_point\_error} and \cf{output\_control}), \item --- \cf{PID} (which calls \cf{determine\_set\_point\_error} ),
\item --- \cf{determine\_set\_point\_error} (which calls \cf{convert\_ADC\_to\_T}), \item --- \cf{determine\_set\_point\_error} (which calls \cf{convert\_ADC\_to\_T}),
\item --- \cf{convert\_ADC\_to\_T} (which calls \cf{read\_ADC}), % which has been analysed as the {\dc} read\_ADC which can be re-used.} % from the last example), \item --- \cf{convert\_ADC\_to\_T} (which calls \cf{read\_ADC}), % which has been analysed as the {\dc} read\_ADC which can be re-used.} % from the last example),
\item --- \cf{read\_ADC} (analysed in the previous section~\ref{sec:readadc}), \item --- \cf{read\_ADC} (analysed in the previous section~\ref{sec:readadc}),
@ -1228,6 +1235,8 @@ apply the demanded power.
A {\fg} with the Heating element, a PWM module and the \cf{output\_control} function is formed to model this branch A {\fg} with the Heating element, a PWM module and the \cf{output\_control} function is formed to model this branch
of the efferent flow. of the efferent flow.
% %
This {\fg} is a hardware/software hybrid.
%
FMMD analysis is applied to this {\fg} in table~\ref{tbl:heateroutput}. FMMD analysis is applied to this {\fg} in table~\ref{tbl:heateroutput}.
% %
For the \cf{output\_control} function, there is a pre-condition that the PWM module is For the \cf{output\_control} function, there is a pre-condition that the PWM module is
@ -1253,7 +1262,7 @@ adding a safety relay to cut the power to the heater).
\centering \centering
\includegraphics[width=300pt]{./CH5_Examples/euler_heater_output.png} \includegraphics[width=300pt]{./CH5_Examples/euler_heater_output.png}
% euler_heater_output.png: 392x141 pixel, 72dpi, 13.83x4.97 cm, bb=0 0 392 141 % euler_heater_output.png: 392x141 pixel, 72dpi, 13.83x4.97 cm, bb=0 0 392 141
\caption{Euler diagram showing HeaterOutput with its two hardware components, PWM and HEATER, and its software component output\_control.} \caption{Euler diagram showing HeaterOutput with its two hardware components, PWM and HEATER, and its software component \cf{output\_control}.}
\label{fig:eulerheateroutput} \label{fig:eulerheateroutput}
\end{figure} \end{figure}
% %
@ -1350,7 +1359,7 @@ as an Euler diagram in figure~\ref{fig:euler_temp_controller}.
\centering \centering
\includegraphics[width=400pt]{./CH5_Examples/euler_temp_controller.png} \includegraphics[width=400pt]{./CH5_Examples/euler_temp_controller.png}
% euler_temp_controller.png: 714x251 pixel, 72dpi, 25.19x8.85 cm, bb=0 0 714 251 % euler_temp_controller.png: 714x251 pixel, 72dpi, 25.19x8.85 cm, bb=0 0 714 251
\caption{Euler diagram of the temperature controller final analysis stage, showing the hybrid software/hardware {\dcs} and the function at the head of the call tree `monitor'.} \caption{Euler diagram of the temperature controller final analysis stage, showing the hybrid software/hardware {\dcs} and the function at the head of the call tree \cf{monitor}.}
\label{fig:euler_temp_controller} \label{fig:euler_temp_controller}
\end{figure} \end{figure}
% %

27
submission_thesis/CH7_Evaluation/copy.tex
View File

@ -154,7 +154,7 @@ $ | G | $. %,
%\paragraph{Defining Components} %\paragraph{Defining Components}
$G$ is simply a sub-set of all possible components. $G$ is simply a sub-set of all possible components.
% %
The set of all components is $\mathcal{C}$; it can be can stated that is $G \subset \mathcal{C}$. The set of all components is $\mathcal{C}$; it can be can stated that $G \subset \mathcal{C}$.
% %
Individual components are denoted as $c$ Individual components are denoted as $c$
with additional indexing where appropriate. with additional indexing where appropriate.
@ -228,7 +228,7 @@ An FMMD hierarchy consists of many {\fgs} which are subsets of $G$.
FMMD analysis creates a hierarchy $\hh$ of {\fgs}. % where $\hh \subset \mathcal{FG}$. FMMD analysis creates a hierarchy $\hh$ of {\fgs}. % where $\hh \subset \mathcal{FG}$.
\fmmdgloss \fmmdgloss
% %
Individual {\fgs} can be defined using with an index Individual {\fgs} can be defined using an index
$i$ for identification and a superscript for the $\alpha$~level i.e. $FG^{\alpha}_{i}$ (see section~\ref{sec:alpha}). $i$ for identification and a superscript for the $\alpha$~level i.e. $FG^{\alpha}_{i}$ (see section~\ref{sec:alpha}).
% %
%--- %---
@ -257,7 +257,7 @@ An FMMD hierarchy will have reducing numbers of {\fgs} as the hierarchy is trave
In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to
all {\fgs} on each level. all {\fgs} on each level.
% %
An FMMD hierarchy defined as a set of {\fgs}, $\hh$. An FMMD hierarchy is defined as a set of {\fgs}, $\hh$.
% We define a helper function $g$ with a domain of the level $Level$ in an FMMD hierarchy $\hh$, and a % We define a helper function $g$ with a domain of the level $Level$ in an FMMD hierarchy $\hh$, and a
% co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), % co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level),
% that returns % that returns
@ -292,8 +292,8 @@ The comparison complexity function $CC$ is overloaded, to obtain the comparison
\label{sec:theoreticalperfmodel} \label{sec:theoreticalperfmodel}
\fmmdglossRD \fmmdglossRD
%\pagebreak[4] %\pagebreak[4]
The amplifier example from chapter~\ref{sec:chap4}, which has two The $NONINVAMP$ example from chapter~\ref{sec:chap4}, which has two
stages, the potential divider and then the amplifier, is chosen as an example for comparison complexity. analysis stages, the potential divider and then the amplifier, is chosen as an example for comparison complexity.
% %
The complexities are added from The complexities are added from
both these stages to determine how many reasoning paths there were to perform FMMD analysis on the both these stages to determine how many reasoning paths there were to perform FMMD analysis on the
@ -313,7 +313,7 @@ number of reasoning paths to analyse the amplifier using FMMD.
% %
The potential divider has a {\cc} of four and the amplifier section a {\cc} of six. The potential divider has a {\cc} of four and the amplifier section a {\cc} of six.
% %
To analyse the inverting amplifier with FMMD it required 10 reasoning stages. To analyse the inverting amplifier with FMMD a {\cc} of 10 was required.
% %
Using traditional FMEA employing exhaustive checking ({\XFMEA}) Using traditional FMEA employing exhaustive checking ({\XFMEA})
$ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1) = 16$ was obtained. $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1) = 16$ was obtained.
@ -549,10 +549,10 @@ All the FMMD examples in chapters \ref{sec:chap5}
and \ref{sec:chap6} showed a marked reduction in comparison and \ref{sec:chap6} showed a marked reduction in comparison
complexity compared to {\XFMEA}. % worst case figures. complexity compared to {\XFMEA}. % worst case figures.
% %
To calculate {\XFMEA} comparison complexity equation~\ref{eqn:CC} is used. To calculate {\XFMEA} the comparison complexity equation~\ref{eqn:CC} is used.
% %
% %
Complexity comparison vs. {\XFMEA} for the first three examples Complexity comparison for FMMD vs. {\XFMEA} for the first three examples in chapter~\ref{sec:chap5}
are presented in the following table~\ref{tbl:firstcc}. are presented in the following table~\ref{tbl:firstcc}.
% %
%\usepackage{multirow} %\usepackage{multirow}
@ -973,7 +973,7 @@ is no fault active in the functional~group under analysis.}
and S itself. and S itself.
% %
The power-set concept is augmented here to deal with counting the number of The power-set concept is augmented here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures. combinations of failures to consider under the conditions of simultaneous failures.
% %
In order to consider combinations for the set S where the number of elements in In order to consider combinations for the set S where the number of elements in
each subset of S is $N$ or less, a concept of the `cardinality constrained power-set' each subset of S is $N$ or less, a concept of the `cardinality constrained power-set'
@ -1018,11 +1018,8 @@ C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} .
\end{equation} \end{equation}
% %
To find the number of elements in a cardinality constrained subset S with up to $cc$ elements To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each combination sub-set, in each combination sub-set, the sum of combinations must be added,
sum the combinations must be added, from $1$ to $cc$ thus:
%subtracting $cc$ from the final result
%(repeated empty set counts)
from $1$ to $cc$ thus
% %
% %
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ % $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
@ -1531,7 +1528,7 @@ in the power-supply {\fg}.
%this raises another issue for FMMD. %this raises another issue for FMMD.
% %
A de-coupling capacitor going $OPEN$ might not be considered relevant to A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails). a power-supply module (even though there might be additional noise on its output rails).
% %
But in {\fg} terms, the power supply now has a new symptom, that of $INTERFERENCE$. But in {\fg} terms, the power supply now has a new symptom, that of $INTERFERENCE$.
% %

8
submission_thesis/appendixes/detailed_analysis.tex
View File

@ -309,7 +309,7 @@ This section of the appendix contains FMEA tables for the {\sd}.
FS5: $IC1$ $HIGH$ & & output perm. high & & HIGH \\ FS5: $IC1$ $HIGH$ & & output perm. high & & HIGH \\
FS6: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline FS6: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline
FS7: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\ FS7: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\
FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ \hline FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\
FS9: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\ FS9: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\
FS10: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline FS10: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline
@ -497,7 +497,7 @@ $$
%\hline %\hline
FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\ FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\
FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\
FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ \hline FS5: $DL2AL$ $LOW\_SLEW$ & & slow reaction to input & & $LOW\_SLEW$ \\ \hline
\hline \hline
@ -584,7 +584,7 @@ FMMD analysis tables from chapter~\ref{sec:chap6}.
FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ FC3: $RADC_{HIGH}$ & voltage value & $VOLTAGE\_HIGH$ \\
& incorrect & \\ \hline & incorrect & \\ \hline
@ -681,7 +681,7 @@ $$
The error value being discussed here is an important concept in PID control. The error value being discussed here is an important concept in PID control.
It represents how far from the control target It represents how far from the control target
the measured reading of it is. the measured reading is.
The lower the PID error value the closer to the controlled systems target/desired value. The lower the PID error value the closer to the controlled systems target/desired value.
{ {

2
submission_thesis/colophon/copy.tex
View File

@ -57,7 +57,7 @@ Further I thank her for encouraging me to apply for the PhD. %% PITY SHE DID NOT
% %
I am deeply thankful to the directors of {\etc} not only for I am deeply thankful to the directors of {\etc} not only for
funding this course, but providing training and work experience in the funding this course, but providing training and work experience in the
field of safety critical engineering, and giving me Friday field of safety critical engineering and giving me Friday
afternoons to pursue my studies. afternoons to pursue my studies.
% %
At Energy~Technology~Control, the following people gave encouragement, and At Energy~Technology~Control, the following people gave encouragement, and