robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

JMC pr

Browse Source
This commit is contained in:
Robin Clark 2013-03-16 12:19:01 +00:00
parent d4ce1a04c5
commit 712fcb3356
3 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
submission_thesis/CH2_FMEA/copy.tex
View File

@ -544,6 +544,8 @@ there is usually a clear afferent to transform to efferent path.
% %
That is, there is an input, some processing and an output. That is, there is an input, some processing and an output.
% %
We define the signal path as the components used to process the signal.
%
Some circuits have feedback loops or even circular signal paths, but it Some circuits have feedback loops or even circular signal paths, but it
is normal for a signal path to exist. is normal for a signal path to exist.
% %
@ -584,7 +586,10 @@ of the component exhibiting the {\fm} under investigation.
% %
Also, whether following the effects through the signal path {\em only} is acceptable, and instead Also, whether following the effects through the signal path {\em only} is acceptable, and instead
looking at its effect on all other components in the system is necessary, looking at its effect on all other components in the system is necessary,
is a matter for debate, and is examined in section~\ref{sec:xfmea}. is a matter for debate.
In practise, it is a compromise between the amount of time/money that can be spent
on analysis relative to the criticality of the project.
Metrics from measuring the amount of work to undertake for FMEA are examined in section~\ref{sec:xfmea}.
\paragraph{Single component failure mode to system failure relation.} \paragraph{Single component failure mode to system failure relation.}

19
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -7,6 +7,7 @@
\label{sec:elecsw} \label{sec:elecsw}
In this chapter we show that FMMD can be applied to both software and electronics enabling us to build complete failure models In this chapter we show that FMMD can be applied to both software and electronics enabling us to build complete failure models
of typical modern safety critical systems. of typical modern safety critical systems.
%
With modular FMEA i.e. FMMD %(FMMD) With modular FMEA i.e. FMMD %(FMMD)
we have the concepts of failure~modes we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure. % for a functional group. of components, {\fgs} and symptoms of failure. % for a functional group.
@ -227,7 +228,7 @@ value from the external equipment.
Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$) Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$)
representing the current detected with an additional error indication flag . representing the current detected with an additional error indication flag.
% %
Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read a voltage Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read a voltage
from an ADC into the software. from an ADC into the software.
@ -244,7 +245,8 @@ is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
This voltage range forms our input requirement and can be considered as an invariant condition (i.e. both a pre-condition and a postcondition This voltage range forms our input requirement and can be considered as an invariant condition
(i.e. both a pre-condition and a postcondition;
for the system to be operating correctly the voltage should be within the above bounds). for the system to be operating correctly the voltage should be within the above bounds).
% %
We can now examine a software function that performs a conversion from the voltage read to We can now examine a software function that performs a conversion from the voltage read to
@ -586,7 +588,7 @@ $$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{Functional Group - Software - voltage to per mil - VTPM } \paragraph{Functional Group - Software - voltage to per mil - VTPM }
This function sits on top of the $RADC$ {\dc} determined above. This function sits on top of the $RADC$ {\dc} determined above.
We look at the pre-conditions for the function $read\_4\_20\_input$ , % which we can call $RI$ We look at the pre-conditions for the function $read\_4\_20\_input$, % which we can call $RI$
to determine its {\fms}. to determine its {\fms}.
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}. Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
We can map this violation of the pre-condition, to the {\fm} VRNGE; %As this function has one pre-condition We can map this violation of the pre-condition, to the {\fm} VRNGE; %As this function has one pre-condition
@ -792,7 +794,7 @@ start with a structured analysis `Yourdon' context diagram~\cite{Yourdon:1989:MS
\end{figure} \end{figure}
Using figure~\ref{fig:context_diagram_PID} we review the system in terms of its data flow, starting Using figure~\ref{fig:context_diagram_PID} we review the system in terms of its data flow, starting
with the data sources ( the Pt100 inputs) and the data sinks (the heater output and the LED indicators). with the data sources (the Pt100 inputs) and the data sinks (the heater output and the LED indicators).
% %
We have two voltage inputs (see section~\ref{sec:Pt100}) from the Pt100 temperature sensor. We have two voltage inputs (see section~\ref{sec:Pt100}) from the Pt100 temperature sensor.
For the Pt100 sensor, we will need to read the voltages it outputs and for this For the Pt100 sensor, we will need to read the voltages it outputs and for this
@ -915,7 +917,7 @@ The internal timer in use is a register which when read
returns an incremented time value. returns an incremented time value.
Using two's complement mathematics, by subtracting Using two's complement mathematics, by subtracting
the time we last read it, we can calculate the interval the time we last read it, we can calculate the interval
between readings (assuming the timer has not wrapped around more then once). between readings (assuming the timer has not wrapped around more than once).
We can say that a timer can fail by We can say that a timer can fail by
incrementing its value at an incorrect rate, or can stop incrementing. incrementing its value at an incorrect rate, or can stop incrementing.
$$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$ $$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$
@ -961,7 +963,7 @@ Identified Software Components:
\item --- output\_control (which sets the PWM hardware according to the PID demand value) \item --- output\_control (which sets the PWM hardware according to the PID demand value)
\end{itemize} \end{itemize}
With the call tree structure defined (see figure~\ref{fig:context_calltree}), we can now analyse these With the call tree structure defined (see figure~\ref{fig:context_calltree}), we can now analyse these
components from the bottom-up, starting with the afferent flow, the reading in of the temperature and its conversion components from the bottom-up, starting with the afferent flow, the reading of the temperature and its conversion
to a PID calculated heater output demand. to a PID calculated heater output demand.
\subsubsection{Afferent flow FMMD analysis, Pt100, temperature, set point error, PID output demand.} \subsubsection{Afferent flow FMMD analysis, Pt100, temperature, set point error, PID output demand.}
@ -970,7 +972,8 @@ We start with the afferent flow from the Pt100.
%used (if any) by each software function. %used (if any) by each software function.
Starting at the bottom, we form a {\fg} with Starting at the bottom, we form a {\fg} with
the function read\_ADC and the Pt100. the function read\_ADC and the Pt100.
This gives us a {\dc} which we call ReadPt100. This gives us a {\dc} which we call
$ReadPt100$.
% %
% %
@ -1068,7 +1071,7 @@ $$ fm(PID) = \{ KnownControlValueErrorV, IncorrectControlErrorV \} .$$
We have now modelled the the software call tree for the afferent flow, we represent this as an Euler diagram in figure~\ref{fig:euler_afferent_PID}. We have now modelled the software call tree for the afferent flow; we represent this as an Euler diagram in figure~\ref{fig:euler_afferent_PID}.
Two call tree branches remain. The LED indication branch and the Two call tree branches remain. The LED indication branch and the
PWM/heater output. PWM/heater output.

13
submission_thesis/CH7_Evaluation/copy.tex
View File

@ -177,7 +177,7 @@ Comparison complexity, $CC$ for a group of components $G$, is given by
% J Howse requires justification for the CC equation above 10MAR2013. % J Howse requires justification for the CC equation above 10MAR2013.
% %
Equation~\ref{eqn:CC} says that for every failure mode in the group $G$, we must check it against all other Equation~\ref{eqn:CC} says that for every failure mode in the group $G$, we must check it against all other
components in the group (except its-self). This gives us a count of the number of reasoning paths to perform {\XFMEA}. components in the group (except itself). This gives us a count of the number of reasoning paths to perform {\XFMEA}.
These reasoning distance concepts are discussed in section~\ref{sec:reasoningdistance}. % from CH3 These reasoning distance concepts are discussed in section~\ref{sec:reasoningdistance}. % from CH3
% %
Equation~\ref{eqn:CC} can be simplified if we can determine the total number of Equation~\ref{eqn:CC} can be simplified if we can determine the total number of
@ -206,7 +206,7 @@ $i$ for identification and a superscript for the $\alpha$~level (see section~\r
% %
%--- %---
%o identify the hierarchy. %o identify the hierarchy.
For example the first {\fg} in a hierarchy, containing base components only For example the first {\fg} in a hierarchy containing base components only
i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$. i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$.
% %
The {\fg} representing the potential divider in section~\ref{sec:pd} The {\fg} representing the potential divider in section~\ref{sec:pd}
@ -282,7 +282,7 @@ Using traditional FMEA employing exhaustive checking ({\XFMEA})
we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16. we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16.
Even with this very trivial example, we begin to see benefits of taking a modular approach to FMEA. Even with this very trivial example, we begin to see benefits of taking a modular approach to FMEA.
\paragraph{Complexity Comparison for an hypothetical 81 component system.} \paragraph{Complexity Comparison for a hypothetical 81 component system.}
%Even considering a $example$ %Even considering a $example$
A system, $example$, with just 81 components (with these components A system, $example$, with just 81 components (with these components
having 3 failure modes each) would, using equation~\ref{eqn:rd2} have an $CC$ of having 3 failure modes each) would, using equation~\ref{eqn:rd2} have an $CC$ of
@ -766,7 +766,8 @@ However, where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made. of reduction into smaller theoretical components will have to be made.
We can term this `heuristic~de-composition'. We can term this `heuristic~de-composition'.
A modern micro-controller will typically have several modules, which are configured to operate on %
A modern micro-controller will typically have several modules which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
% %
@ -782,7 +783,7 @@ is then applied to it.}.
\paragraph{Reason for FMMD unitary failure mode constraint.} Were this constraint not to be applied \paragraph{Reason for FMMD unitary failure mode constraint.} Were this constraint not to be applied,
each component would not contribute $N$ failure modes, % to consider each component would not contribute $N$ failure modes, % to consider
but potentially but potentially
$2^N$. $2^N$.
@ -897,7 +898,7 @@ For example, say
the cardinality constraint was 3, we would need to subtract both the cardinality constraint was 3, we would need to subtract both
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. $|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.
\subsubsection{Example: Two Component functional group cardinality Constraint of 2} \subsubsection{Example: Two Component functional group Cardinality Constraint of 2}
For example: suppose we have a simple functional group with two components R and T, of which For example: suppose we have a simple functional group with two components R and T, of which
$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$ $$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$