JMC pr
This commit is contained in:
Robin Clark
parent
d4ce1a04c5
commit
712fcb3356
@ -544,6 +544,8 @@ there is usually a clear afferent to transform to efferent path.
|
||||
%
|
||||
That is, there is an input, some processing and an output.
|
||||
%
|
||||
We define the signal path as the components used to process the signal.
|
||||
%
|
||||
Some circuits have feedback loops or even circular signal paths, but it
|
||||
is normal for a signal path to exist.
|
||||
%
|
||||
@ -584,7 +586,10 @@ of the component exhibiting the {\fm} under investigation.
|
||||
%
|
||||
Also, whether following the effects through the signal path {\em only} is acceptable, and instead
|
||||
looking at its effect on all other components in the system is necessary,
|
||||
is a matter for debate, and is examined in section~\ref{sec:xfmea}.
|
||||
is a matter for debate.
|
||||
In practise, it is a compromise between the amount of time/money that can be spent
|
||||
on analysis relative to the criticality of the project.
|
||||
Metrics from measuring the amount of work to undertake for FMEA are examined in section~\ref{sec:xfmea}.
|
||||
|
||||
|
||||
\paragraph{Single component failure mode to system failure relation.}
|
||||
|
||||
@ -7,6 +7,7 @@
|
||||
\label{sec:elecsw}
|
||||
In this chapter we show that FMMD can be applied to both software and electronics enabling us to build complete failure models
|
||||
of typical modern safety critical systems.
|
||||
%
|
||||
With modular FMEA i.e. FMMD %(FMMD)
|
||||
we have the concepts of failure~modes
|
||||
of components, {\fgs} and symptoms of failure. % for a functional group.
|
||||
@ -227,7 +228,7 @@ value from the external equipment.
|
||||
|
||||
|
||||
Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$)
|
||||
representing the current detected with an additional error indication flag .
|
||||
representing the current detected with an additional error indication flag.
|
||||
%
|
||||
Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read a voltage
|
||||
from an ADC into the software.
|
||||
@ -244,7 +245,8 @@ is therefore
|
||||
|
||||
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
|
||||
|
||||
This voltage range forms our input requirement and can be considered as an invariant condition (i.e. both a pre-condition and a postcondition
|
||||
This voltage range forms our input requirement and can be considered as an invariant condition
|
||||
(i.e. both a pre-condition and a postcondition;
|
||||
for the system to be operating correctly the voltage should be within the above bounds).
|
||||
%
|
||||
We can now examine a software function that performs a conversion from the voltage read to
|
||||
@ -586,7 +588,7 @@ $$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
|
||||
\paragraph{Functional Group - Software - voltage to per mil - VTPM }
|
||||
|
||||
This function sits on top of the $RADC$ {\dc} determined above.
|
||||
We look at the pre-conditions for the function $read\_4\_20\_input$ , % which we can call $RI$
|
||||
We look at the pre-conditions for the function $read\_4\_20\_input$, % which we can call $RI$
|
||||
to determine its {\fms}.
|
||||
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
|
||||
We can map this violation of the pre-condition, to the {\fm} VRNGE; %As this function has one pre-condition
|
||||
@ -792,7 +794,7 @@ start with a structured analysis `Yourdon' context diagram~\cite{Yourdon:1989:MS
|
||||
\end{figure}
|
||||
|
||||
Using figure~\ref{fig:context_diagram_PID} we review the system in terms of its data flow, starting
|
||||
with the data sources ( the Pt100 inputs) and the data sinks (the heater output and the LED indicators).
|
||||
with the data sources (the Pt100 inputs) and the data sinks (the heater output and the LED indicators).
|
||||
%
|
||||
We have two voltage inputs (see section~\ref{sec:Pt100}) from the Pt100 temperature sensor.
|
||||
For the Pt100 sensor, we will need to read the voltages it outputs and for this
|
||||
@ -915,7 +917,7 @@ The internal timer in use is a register which when read
|
||||
returns an incremented time value.
|
||||
Using two's complement mathematics, by subtracting
|
||||
the time we last read it, we can calculate the interval
|
||||
between readings (assuming the timer has not wrapped around more then once).
|
||||
between readings (assuming the timer has not wrapped around more than once).
|
||||
We can say that a timer can fail by
|
||||
incrementing its value at an incorrect rate, or can stop incrementing.
|
||||
$$ fm(TIMER) = \{ STOPPED, INCORRECT\_INTERVAL \}$$
|
||||
@ -961,7 +963,7 @@ Identified Software Components:
|
||||
\item --- output\_control (which sets the PWM hardware according to the PID demand value)
|
||||
\end{itemize}
|
||||
With the call tree structure defined (see figure~\ref{fig:context_calltree}), we can now analyse these
|
||||
components from the bottom-up, starting with the afferent flow, the reading in of the temperature and its conversion
|
||||
components from the bottom-up, starting with the afferent flow, the reading of the temperature and its conversion
|
||||
to a PID calculated heater output demand.
|
||||
|
||||
\subsubsection{Afferent flow FMMD analysis, Pt100, temperature, set point error, PID output demand.}
|
||||
@ -970,7 +972,8 @@ We start with the afferent flow from the Pt100.
|
||||
%used (if any) by each software function.
|
||||
Starting at the bottom, we form a {\fg} with
|
||||
the function read\_ADC and the Pt100.
|
||||
This gives us a {\dc} which we call ReadPt100.
|
||||
This gives us a {\dc} which we call
|
||||
$ReadPt100$.
|
||||
%
|
||||
|
||||
%
|
||||
@ -1068,7 +1071,7 @@ $$ fm(PID) = \{ KnownControlValueErrorV, IncorrectControlErrorV \} .$$
|
||||
|
||||
|
||||
|
||||
We have now modelled the the software call tree for the afferent flow, we represent this as an Euler diagram in figure~\ref{fig:euler_afferent_PID}.
|
||||
We have now modelled the software call tree for the afferent flow; we represent this as an Euler diagram in figure~\ref{fig:euler_afferent_PID}.
|
||||
Two call tree branches remain. The LED indication branch and the
|
||||
PWM/heater output.
|
||||
|
||||
|
||||
@ -177,7 +177,7 @@ Comparison complexity, $CC$ for a group of components $G$, is given by
|
||||
% J Howse requires justification for the CC equation above 10MAR2013.
|
||||
%
|
||||
Equation~\ref{eqn:CC} says that for every failure mode in the group $G$, we must check it against all other
|
||||
components in the group (except its-self). This gives us a count of the number of reasoning paths to perform {\XFMEA}.
|
||||
components in the group (except itself). This gives us a count of the number of reasoning paths to perform {\XFMEA}.
|
||||
These reasoning distance concepts are discussed in section~\ref{sec:reasoningdistance}. % from CH3
|
||||
%
|
||||
Equation~\ref{eqn:CC} can be simplified if we can determine the total number of
|
||||
@ -206,7 +206,7 @@ $i$ for identification and a superscript for the $\alpha$~level (see section~\r
|
||||
%
|
||||
%---
|
||||
%o identify the hierarchy.
|
||||
For example the first {\fg} in a hierarchy, containing base components only
|
||||
For example the first {\fg} in a hierarchy containing base components only
|
||||
i.e. at the zeroth level of an FMMD hierarchy where $\alpha=0$, would have the superscript 0 and a subscript of 1: $FG^{0}_{1}$.
|
||||
%
|
||||
The {\fg} representing the potential divider in section~\ref{sec:pd}
|
||||
@ -282,7 +282,7 @@ Using traditional FMEA employing exhaustive checking ({\XFMEA})
|
||||
we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16.
|
||||
Even with this very trivial example, we begin to see benefits of taking a modular approach to FMEA.
|
||||
|
||||
\paragraph{Complexity Comparison for an hypothetical 81 component system.}
|
||||
\paragraph{Complexity Comparison for a hypothetical 81 component system.}
|
||||
%Even considering a $example$
|
||||
A system, $example$, with just 81 components (with these components
|
||||
having 3 failure modes each) would, using equation~\ref{eqn:rd2} have an $CC$ of
|
||||
@ -766,7 +766,8 @@ However, where a complex component is used, for instance a microcontroller
|
||||
with several modules that could all fail simultaneously, a process
|
||||
of reduction into smaller theoretical components will have to be made.
|
||||
We can term this `heuristic~de-composition'.
|
||||
A modern micro-controller will typically have several modules, which are configured to operate on
|
||||
%
|
||||
A modern micro-controller will typically have several modules which are configured to operate on
|
||||
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
|
||||
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
|
||||
%
|
||||
@ -782,7 +783,7 @@ is then applied to it.}.
|
||||
|
||||
|
||||
|
||||
\paragraph{Reason for FMMD unitary failure mode constraint.} Were this constraint not to be applied
|
||||
\paragraph{Reason for FMMD unitary failure mode constraint.} Were this constraint not to be applied,
|
||||
each component would not contribute $N$ failure modes, % to consider
|
||||
but potentially
|
||||
$2^N$.
|
||||
@ -897,7 +898,7 @@ For example, say
|
||||
the cardinality constraint was 3, we would need to subtract both
|
||||
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.
|
||||
|
||||
\subsubsection{Example: Two Component functional group cardinality Constraint of 2}
|
||||
\subsubsection{Example: Two Component functional group Cardinality Constraint of 2}
|
||||
|
||||
For example: suppose we have a simple functional group with two components R and T, of which
|
||||
$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$
|
||||
|
||||
Loading…
Reference in New Issue
Block a user