From 7671005fe3b4799553aa68e9ef9ed8144317b46e Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 20 Mar 2012 19:07:09 +0000 Subject: [PATCH] OK starting to get the new thesis structure actually producting pdf files. In each chapter directory, copy.tex is the source file for the chapter. A makefile should exist in each of these directories, and this when supplied the arg copy will make all images form dia/gnuplot etc --- .../component_failure_modes_definition.tex | 4 +- .../lm258pinout.jpg | Bin .../CH1_introduction/Makefile | 0 submission_thesis/CH1_introduction/copy.tex | 26 + .../CH1_introduction/millivoltsensor.kra | Bin .../CH1_introduction/millivoltsensor.ps | 0 submission_thesis/CH2_FMEA/copy.tex | 26 + submission_thesis/CH3_FMEA_criticism/copy.tex | 26 + submission_thesis/CH4_FMMD/copy.tex | 26 + .../CH5_Examples/Makefile | 19 +- .../CH5_Examples/circuit1001.png | Bin .../CH5_Examples/circuit1_dag.png | Bin .../CH5_Examples/circuit2002.png | Bin .../CH5_Examples/circuit2002_FIVEPOLE.png | Bin .../CH5_Examples/circuit2002_LP1.png | Bin .../CH5_Examples/circuit2h.png | Bin .../CH5_Examples/circuit3003.png | Bin submission_thesis/CH5_Examples/copy.tex | 2200 +++++++++++++++++ .../CH5_Examples/discussion_doc.tex | 0 .../CH5_Examples/lm258pinout.jpg | Bin 0 -> 19408 bytes .../CH5_Examples/non_inv_amp_fmea.png | Bin submission_thesis/CH6_Evaluation/copy.tex | 26 + submission_thesis/CH7_Conculsion/copy.tex | 26 + submission_thesis/Makefile | 9 + submission_thesis/glossary.sty | 979 ++++++++ .../mybib.bib | 0 submission_thesis/titlepage/titlepage.tex | 43 + .../vmgbibliography.bib | 0 thesis_submission/CH1_introduction/copy.tex | 762 ------ 29 files changed, 3402 insertions(+), 770 deletions(-) rename {thesis_submission/CH5_Examples => old_thesis/component_failure_modes_definition}/lm258pinout.jpg (100%) rename {thesis_submission => submission_thesis}/CH1_introduction/Makefile (100%) create mode 100644 submission_thesis/CH1_introduction/copy.tex rename {thesis_submission => submission_thesis}/CH1_introduction/millivoltsensor.kra (100%) rename {thesis_submission => submission_thesis}/CH1_introduction/millivoltsensor.ps (100%) create mode 100644 submission_thesis/CH2_FMEA/copy.tex create mode 100644 submission_thesis/CH3_FMEA_criticism/copy.tex create mode 100644 submission_thesis/CH4_FMMD/copy.tex rename {thesis_submission => submission_thesis}/CH5_Examples/Makefile (59%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit1001.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit1_dag.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit2002.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit2002_FIVEPOLE.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit2002_LP1.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit2h.png (100%) rename {thesis_submission => submission_thesis}/CH5_Examples/circuit3003.png (100%) create mode 100644 submission_thesis/CH5_Examples/copy.tex rename thesis_submission/CH5_Examples/copy.tex => submission_thesis/CH5_Examples/discussion_doc.tex (100%) create mode 100644 submission_thesis/CH5_Examples/lm258pinout.jpg rename {thesis_submission => submission_thesis}/CH5_Examples/non_inv_amp_fmea.png (100%) create mode 100644 submission_thesis/CH6_Evaluation/copy.tex create mode 100644 submission_thesis/CH7_Conculsion/copy.tex create mode 100644 submission_thesis/Makefile create mode 100644 submission_thesis/glossary.sty rename {thesis_submission => submission_thesis}/mybib.bib (100%) create mode 100644 submission_thesis/titlepage/titlepage.tex rename {thesis_submission => submission_thesis}/vmgbibliography.bib (100%) delete mode 100644 thesis_submission/CH1_introduction/copy.tex diff --git a/old_thesis/component_failure_modes_definition/component_failure_modes_definition.tex b/old_thesis/component_failure_modes_definition/component_failure_modes_definition.tex index 21df93b..7f09509 100644 --- a/old_thesis/component_failure_modes_definition/component_failure_modes_definition.tex +++ b/old_thesis/component_failure_modes_definition/component_failure_modes_definition.tex @@ -279,7 +279,7 @@ a signal may be lost. We can map this failure cause to a failure symptom, and we can call it $LOW_{slew}$. \paragraph{No Operation - over stress} -Here the OP_AMP has been damaged, and the output may be held HIGH LOW, or may be effectively tri-stated +Here the OP\_AMP has been damaged, and the output may be held HIGH LOW, or may be effectively tri-stated , i.e. not able to drive circuitry in along the next stages of te signal path: we can call theis state NOOP (no Operation). We can map this failure cause to three symptoms, $LOW$, $HIGH$, $NOOP$. @@ -312,7 +312,7 @@ these conditions. \begin{figure} \centering - \includegraphics[width=200pt]{./lm258pinout.jpg} + \includegraphics[width=200pt]{./component_failure_modes_definition/lm258pinout.jpg} % lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261 \caption{Pinout for an LM258 dual OP-AMP} \label{fig:lm258} diff --git a/thesis_submission/CH5_Examples/lm258pinout.jpg b/old_thesis/component_failure_modes_definition/lm258pinout.jpg similarity index 100% rename from thesis_submission/CH5_Examples/lm258pinout.jpg rename to old_thesis/component_failure_modes_definition/lm258pinout.jpg diff --git a/thesis_submission/CH1_introduction/Makefile b/submission_thesis/CH1_introduction/Makefile similarity index 100% rename from thesis_submission/CH1_introduction/Makefile rename to submission_thesis/CH1_introduction/Makefile diff --git a/submission_thesis/CH1_introduction/copy.tex b/submission_thesis/CH1_introduction/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH1_introduction/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/thesis_submission/CH1_introduction/millivoltsensor.kra b/submission_thesis/CH1_introduction/millivoltsensor.kra similarity index 100% rename from thesis_submission/CH1_introduction/millivoltsensor.kra rename to submission_thesis/CH1_introduction/millivoltsensor.kra diff --git a/thesis_submission/CH1_introduction/millivoltsensor.ps b/submission_thesis/CH1_introduction/millivoltsensor.ps similarity index 100% rename from thesis_submission/CH1_introduction/millivoltsensor.ps rename to submission_thesis/CH1_introduction/millivoltsensor.ps diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/thesis_submission/CH5_Examples/Makefile b/submission_thesis/CH5_Examples/Makefile similarity index 59% rename from thesis_submission/CH5_Examples/Makefile rename to submission_thesis/CH5_Examples/Makefile index 88f84cb..cd64751 100644 --- a/thesis_submission/CH5_Examples/Makefile +++ b/submission_thesis/CH5_Examples/Makefile @@ -5,15 +5,22 @@ PNG_DIA = circuit1_dag.png mvampcircuit.png pd.png invamp.png shared_component.p %.png:%.dia - dia -t png $< - - + dia -t png $< + echo " Chapter 5 DIA images generated" pdf: $(PNG_DIA) - pdflatex copy - acroread copy.pdf & + pdflatex discussion_doc + acroread discussion_doc.pdf & + + +# this is the target used +# to make all images, dia gnuplot etc +# +copy: $(PNG_DIA) + echo "Chapter 5 sub make called" + bib: - bibtex copy + bibtex discussion_doc #makeindex opamps.glo -s opamps.ist -t opamps.glg -o opamps.gls diff --git a/thesis_submission/CH5_Examples/circuit1001.png b/submission_thesis/CH5_Examples/circuit1001.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit1001.png rename to submission_thesis/CH5_Examples/circuit1001.png diff --git a/thesis_submission/CH5_Examples/circuit1_dag.png b/submission_thesis/CH5_Examples/circuit1_dag.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit1_dag.png rename to submission_thesis/CH5_Examples/circuit1_dag.png diff --git a/thesis_submission/CH5_Examples/circuit2002.png b/submission_thesis/CH5_Examples/circuit2002.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit2002.png rename to submission_thesis/CH5_Examples/circuit2002.png diff --git a/thesis_submission/CH5_Examples/circuit2002_FIVEPOLE.png b/submission_thesis/CH5_Examples/circuit2002_FIVEPOLE.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit2002_FIVEPOLE.png rename to submission_thesis/CH5_Examples/circuit2002_FIVEPOLE.png diff --git a/thesis_submission/CH5_Examples/circuit2002_LP1.png b/submission_thesis/CH5_Examples/circuit2002_LP1.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit2002_LP1.png rename to submission_thesis/CH5_Examples/circuit2002_LP1.png diff --git a/thesis_submission/CH5_Examples/circuit2h.png b/submission_thesis/CH5_Examples/circuit2h.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit2h.png rename to submission_thesis/CH5_Examples/circuit2h.png diff --git a/thesis_submission/CH5_Examples/circuit3003.png b/submission_thesis/CH5_Examples/circuit3003.png similarity index 100% rename from thesis_submission/CH5_Examples/circuit3003.png rename to submission_thesis/CH5_Examples/circuit3003.png diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex new file mode 100644 index 0000000..f1d1580 --- /dev/null +++ b/submission_thesis/CH5_Examples/copy.tex @@ -0,0 +1,2200 @@ +\clearpage \pagenumbering{arabic} +\section{Basic Concepts Of FMMD} + +The idea behind FMMD is to modularise, from the bottom-up, failure mode effects analysis. +Traditional FMEA takes part failure modes and then determines what effect each of these +failure modes could have on the system under investigation. +It is worth defining clearly the term part here. +Geoffry Hall writing in space Craft Systems Engineering~\cite{scse}[p.619], defines it thus: +``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''. +In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'. +Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}. + + +Traditional FMEA, by looking at `part' level failure modes +involves what we could term a large `reasoning~distance'; that is to say +in a complex system, taking a particular failure mode, of a particular part +and then trying to predict the outcome in the context of an entire system, is +a leap~of~faith. There will be numerous possibilities of effects and side effects on +other components in the system; more than is practically possible to rigorously examine. +To simply trace a simple route from a particular part failure mode to a top level system error/symptom +oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone. + +Fortunately most real-world designs take a modular approach. In Electronics +for instance, commonly used configurations of parts are used to create +amplifiers, filters, potential dividers etc. +%It is therefore natural to collect parts to form functional groups. +It is common design practise in electronics, to use collections of parts in specific configurations +to form well-defined and well-known building blocks. +These commonly used configurations of parts, or {\fgs}, will +also have a specific failure mode behaviour. +We can take a {\fg} and determine its symptoms of failure. +When we have done this we can treat this as a component in its own right. +If we terms `parts' as base~components and components we have determined +from functional groups as derived components, we can modularise FMEA. +If we start building {\fgs} from derived components we can start to build a modular +hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance, +allowing re-use of modules and reducing the number of by-hand analysis checks to consider. + + + + +\paragraph {Definitions} + +\begin{itemize} +\item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}. +\item {\fm} - failure mode - the ways in which a component can fail +\item {\fg} - a collection of components chosen to perform a particular task +\item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes. +\item {\dc} - a new component derived from an analysed {\fg} +\end{itemize} + + + +\subsection{Determining the failure modes of components} + +In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail. +Typically when choosing components for a design, we look at manufacturers data sheets, +which describe the range and tolerances, and can indicate how a component may fail/behave +under certain conditions or environments. +How base components could fail internally, its not of interest to an FMEA investigation. +The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its +modes of failure. + +A large body of literature exists which gives guidance for determining component {\fms}. +% +For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined. +%Some standards prescribe specific failure modes for generic component types. +In EN298 failure modes for generic component types are prescribed, or +determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +are examined. +% + +FMD-91 is a reference document released into the public domain by the United States DOD +and describes `failures' of common electronic components, with percentage statistics for each failure. +FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation. +FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of +component {\fms} suitable for use in FMEA. + + +% One is from the US military document FMD-91, where internal failures +% of components are described (with stats). +% +% The other is EN298 where the failure modes for generic component types are prescribed, or +% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +% is applied. These techniques +% +% The FMD-91 entries need, in some cases, some interpretation to be mapped to +% component failure symptoms, but include failure modes that can be due to internal failures. +% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. +% +% Could I come in and see you Chris to quickly discuss these. +% +% I hope to have chapter 5 finished by the end of March, chapter 5 being the +% electronics examples for the FMMD methodology. + +In this section we look in detail at two common electrical components and examine how +the two sources of information define their failure mode behaviour. +We look at the reasons why some known failure modes % are omitted, or presented in +%specific but unintuitive ways. +%We compare the US. military published failure mode specifications wi +can be found in one source but not in the other and vice versa. + +Finally we compare and contrast the failure modes determined for these components +from the FMD-91 reference source and from the guidelines of the +European burner standard EN298. +\subsection{Failure mode determination for generic resistor} + +%- Failure modes. Prescribed failure modes EN298 - FMD91 +\subsubsection{Resistor failure modes according to FMD-91} + + +The resistor is a ubiquitous component in electronics, and is therefore a prime +example for examining its failure modes. +FMD-91\cite{fmd91}[3-178] lists many types of resistor +and lists many possible failure causes. +For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes: +\begin{itemize} + \item Opened 52\% + \item Drift 31.8\% + \item Film Imperfections 5.1\% + \item Substrate defects 5.1\% + \item Shorted 3.9\% + \item Lead damage 1.9\% +\end{itemize} +This information may be of interest to the manufacturer of resistors, but it does not directly +help a circuit designer. +The circuit designer is not interested in the causes of resistor failure, but to build in contingency +against {\fms} that the resistor could exhibit. +We can determine these {\fms} by converting the internal failure descriptions +to {\fms} thus: +%and map these failure causes to three symptoms, +%drift (resistance value changing), open and short. + +\begin{itemize} + \item Opened 52\% $\mapsto$ OPENED + \item Drift 31.8\% $\mapsto$ DRIFT + \item Film Imperfections 5.1\% $\mapsto$ OPEN + \item Substrate defects 5.1\% $\mapsto$ OPEN + \item Shorted 3.9\% $\mapsto$ SHORT + \item Lead damage 1.9\% $\mapsto$ OPEN. +\end{itemize} +The main causes of drift are overloading of components. +This is borne out in entry for a resistor network where the failure +modes do not include drift. +If we can ensure that our resistors will not be exposed to overload conditions, drift or parameter change +can be reasonably excluded. + +\subsubsection{Resistor failure modes according to EN298} + +EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91. +EN298 requires that a full FMEA be undertaken, examining all failure modes +of all components~\cite{en298}[11.2 5] as part of the certification process. +% +Annex A of EN298, prescribes failure modes for common components +and guidance on determining sets of failure modes for complex components (i.e. integrated circuits). +EN298~\cite{en298}[Annex A] (for most types of resistor) +only requires that the failure mode OPEN be considered in FMEA analysis. +% +For resistor types not specifically listed in EN298, the failure modes +are considered to be either OPEN or SHORT. +The reason that parameter change is not considered for resistors chosen for an EN298 compliant system; is that they must be must be {\em downrated}, +that is to say the power and voltage ratings of components must be calculated +for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded. + +% XXXXXX get ref from colin T + +%If a resistor was rated for instance for + +%These are useful for resistor manufacturersthey have three failure modes +%EN298 +%Parameter change not considered for EN298 because the resistors are down-rated from +%maximum possible voltage exposure -- find refs. + + +% FMD-91 gives the following percentages for failure rates in +% \label{downrate} +% The parameter change, is usually a failure mode associated with over stressing the component. +%In a system designed to typical safety critical constraints (as in EN298) +%these environmentally induced failure modes need not be considered. + + +For this study we will take the conservative view from EN298, and consider the failure +modes for a generic resistor to be both OPEN and SHORT. +i.e. + +$$ fm(R) = \{ OPEN, SHORT \} . $$ + +\subsection{Failure modes determination for generic operational amplifier} + +\begin{figure}[h+] + \centering + \includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg} + % lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261 + \caption{Pinout for an LM358 dual OP-AMP} + \label{fig:lm258} +\end{figure} + +The operational amplifier (op-amp) is a differential amplifier and is very widely used in nearly all fields of modern electronics. +They are typically packaged in dual or quad configurations---meaning +that a chip will typically contain two or four amplifiers. +For the purpose of example, we look at +a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358} +(see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298. + +\subsubsection{ Failure Modes of an OP-AMP according to FMD-91 } + +%Literature suggests, latch up, latch down and oscillation. +For OP-AMP failures modes, FMD-91\cite{fmd91}{3-116] states, +\begin{itemize} + \item Degraded Output 50\% Low Slew rate - poor die attach + \item No Operation - overstress 31.3\% \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier\% + \item Opened $V_+$ open\% +\end{itemize} + +Again these are mostly internal causes of failure, more of interest to the component manufacturer +than a designer looking for the symptoms of failure. +We need to translate these failure causes within the OP-AMP into {\fms}. +We can look at each failure cause in turn, and map it to potential {\fms}. + +\paragraph{OP-AMP failure cause: Poor Die attach} +The symptom for this is given as a low slew rate. This means that the op-amp +will not react quickly to changes on its input terminals. +This is a failure symptom that may not be of concern in a slow responding system like an +instrumentation amplifier. However, where higher frequencies are being processed +a signal may be lost. +We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. + +\paragraph{No Operation - over stress} +Here the OP\_AMP has been damaged, and the output may be held HIGH LOW, or may be effectively tri-stated +, i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation). +% +We can map this failure cause to three symptoms, $LOW$, $HIGH$, $NOOP$. + +\paragraph{Shorted $V_+$ to $V_-$} +Due to the high intrinsic gain of an op-amp, and the effect of offset currents +this will force the output HIGH or LOW. +We map this failure cause to $HIGH$ or $LOW$. + +\paragraph{Open $V_+$} +This failure cause will mean that the minus input will have the very high gain +of the OP-AMP applied to it, and the output will be forced HIGH or LOW. +We map this failure cause to $HIGH$ or $LOW$. + +\paragraph{Collecting OP-AMP failure modes from FMD-91} +We can define an OP-AMP, under FMD-91 definitions to have the following {\fms}. +$$fm(OP-AMP) = \{ HIGH, LOW, NOOP, LOW_{slew} \} $$ + +\subsubsection{Failure Modes of an OP-AMP according to EN298} + +EN298 does not specifically define OP\_AMPS failure modes; these can be determined +by following a procedure for `integrated~circuits' outlined in +annex~A~\cite{en298}[A.1 note e]. +This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios. +We examine these failure scenarios on the dual packaged $LM358$ %\mu741$ +and determine its {\fms}. + + + + +\paragraph{EN298: Open and shorted pin failure symptom determination technique} + + + + + +\begin{table}[h+] +\caption{LM358: EN298 Single failure symptom extraction} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\ + \hline + + & & & & \\ \hline + + FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline + + FS2: PIN 2 OPEN & & A-input disconnected, & & \\ + & & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline + + FS3: PIN 3 OPEN & & A+input disconnected, & & \\ + & & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline + + FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline + + + FS5: PIN 5 OPEN & & B+input disconnected, & & \\ + & & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline + + FS6: PIN 6 OPEN & & B-input disconnected, & & \\ + FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline + + + FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline + + FS8: PIN 8 OPEN & & power to chip & & \\ + FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline + & & & & \\ + & & & & \\ + + & & & & \\ \hline + + FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline + + FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\ + & & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline + + FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline + + FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\ + & & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline + + FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline + + FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline + + +\hline +\end{tabular} +\label{tbl:pd} +\end{table} + + +\clearpage + + + +\subsection{Comparing the component failure mode sources} + +EN298 pinouts failure mode technique. +For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$) +is missing from the EN298 failure modes set. + +% FMD-91 +% +% I have been working on two examples of determining failure modes of components. +% One is from the US military document FMD-91, where internal failures +% of components are described (with stats). +% +% The other is EN298 where the failure modes for generic component types are prescribed, or +% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +% is applied. These techniques +% +% The FMD-91 entries need, in some cases, some interpretation to be mapped to +% component failure symptoms, but include failure modes that can be due to internal failures. +% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. +% +% Could I come in and see you Chris to quickly discuss these. +% +% I hope to have chapter 5 finished by the end of March, chapter 5 being the +% electronics examples for the FMMD methodology. + + + + + +\clearpage + + +%% +%% Paragraph using failure modes to build from bottom up +%% + + + + + + + + + + + + + + +\paragraph{ Creating a fault hierarchy.} +The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc} +level up to the top, or system level, with analysis stages between each +transition to a higher level in the hierarchy. + + +The first stage is to choose +{\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components. +%These parts all have associated fault modes. A module is a set fault~modes. +From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail. + +A {\fg} is a collection of components that perform some simple task or function. +% +In order to determine how a {\fg} can fail, +we need to consider all failure modes of its components. +% +By analysing the fault behavior of a `{\fg}' with respect to all its components failure modes, +we can determine its symptoms of failure. +%In fact we can call these +%the symptoms of failure for the {\fg}. + +With these symptoms (a set of derived faults from the perspective of the {\fg}) +we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways. +% +In other words we have taken a {\fg}, and analysed how +\textbf{it} can fail according to the failure modes of its components, and then +determined the {\fg} failure modes. + +\paragraph{Creating a derived component.} +We create a new `{\dc}' which has +the failure symptoms of the {\fg} from which it was derived, as its set of failure modes. +This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}. +% +\paragraph{An example of a {\dc}.} +To give an example of this, we could look at the components that +form, say an amplifier. We look at how all the components within it +could fail and how that would affect the amplifier. +% +The ways in which the amplifier can be affected are its symptoms. +% +When we have determined the symptoms, we can +create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). +We can now treat $AMP1$ as a pre-analysed, higher level component. +The amplifier is an abstract concept, in terms of the components. +To a make an `amplifier' we have to connect a a group of components +in a specific configuration. This specific configuration corresponds to +a {\fg}. Our use of it as a building block corresponds to a {\dc}. + + +%What this means is the `fault~symptoms' of the module have been derived. +% +%When we have determined the fault~modes at the module level these can become a set of derived faults. +%By taking sets of derived faults (module level faults) we can combine these to form modules +%at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way, +%to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed +%as parts, parts which may now be combined to create new functional groups, +%but as parts at a higher level of fault abstraction. +\paragraph{Building the Hierarchy.} +Applying the same process with {\dcs} we can bring {\dcs} +together to form functional groups and create new {\dcs} +at even higher abstraction levels. Eventually we will have a hierarchy +that converges to one top level {\dc}. At this stage we have a complete failure +mode model of the system under investigation. + +\begin{figure}[h] + \centering + \includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} + % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292 + \caption{FMMD Hierarchy showing ascending abstraction levels} + \label{fig:treeabslev} +\end{figure} + +Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg} +is shown as a `$\bowtie$' symbol. + + +\subsection{An algebraic notation for identifying FMMD enitities} +Consider all `components' to exist as +members of a set $\mathcal{C}$. +% +Each component $c$ has an associated set of failure modes. +We can define a function $fm$ that returns a +set of failure modes $F$, for the component $c$. + +Let the set of all possible components be $\mathcal{C}$ +and let the set of all possible failure modes be $\mathcal{F}$. + +We now define the function $fm$ +as +\begin{equation} +\label{eqn:fm} +fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} +This is defined by, where $c$ is a component and $F$ is a set of failure modes, +$ fm ( c ) = F. $ + +We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection +of components. +%We thus define $FG$ as a set of chosen components defining +%a {\fg}; all functional groups +We can state that +{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ + +We can overload the $fm$ function for a functional group {\FG} +where it will return all the failure modes of the components in {\FG} + + +given by + +$$ fm ({\FG}) = F. $$ + +Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, + +\begin{equation} +fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} + + +%$$ \mathcal{fm}(C) \rightarrow S $$ +%$$ {fm}(C) \rightarrow S $$ +\paragraph{Abstraction Levels of {\fgs} and {\dcs}} + + +\label{sec:indexsub} +We can indicate the abstraction level of a component by using a superscript. +Thus for the component $c$, where it is a `base component' we can assign it +the abstraction level zero, $c^0$. Should we wish to index the components +(for example as in a product parts-list) we can use a sub-script. +Our base component (if first in the parts-list) could now be uniquely identified as +$c^0_1$. + +We can further define the abstraction level of a {\fg}. +We can say that it is the maximum abstraction level of any of its +components. Thus a functional group containing only base components +would have an abstraction level zero and could be represented with a superscript of zero thus +`${\FG}^0$'. % The functional group set may also be indexed. + +We can apply symptom abstraction to a {\fg} to find +its symptoms. +%We are interested in the failure modes +%of all the components in the {\fg}. An analysis process +We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}. +% +The $\bowtie$ function takes a {\fg} +as an argument and returns a newly created {\dc}. +% +%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. +The symptom abstraction process must always raise the abstraction level +for the newly created {\dc}. +Using $\abslevel$ to symbolise the fault abstraction level, we can now state: + +$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ + +\paragraph{Functional Groups may be indexed} +We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) +we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. +For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. + +\paragraph{The symptom abstraction process in outline.} +The $\bowtie$ function processes each component in the {\fg} and +extracts all the component failure modes. +With all the failure modes, an analyst can +determine how each failure mode will affect the {\fg}, and then collect common symptoms. +A new {\dc} is created +where its failure modes, are the symptoms from {\fg}. +Note that the component must have a higher abstraction level than the {\fg} +it was derived from. + + +\paragraph{Surjective constraint applied to symptom collection.} +We can stipulate that symptom collection process is surjective. +% i.e. $ \forall f in F $ +By stipulating surjection for symptom collection, we ensure +that each component failure mode maps to at least one symptom. +We also ensure that all symptoms have at least one component failure +mode (i.e. one or more failure modes that caused it). +% + +\subsection{FMMD Hierarchy} + +By applying stages of analysis to higher and higher abstraction +levels, we can converge to a complete failure mode model of the system under analysis. +Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) +the number of symptoms is guaranteed to be less than or equal to +the number of component failure modes. + +In practise however, the number of symptoms greatly reduces as we traverse +up the hierarchy. +This is a natural process. When we have complicated systems +they always have a small number of system failure modes in comparison to +the number of failure modes in its sub-systems/components.. + + +\section{Examples of Derived Component like concepts in safety literature} + +Idea stage on this section, integrated circuits and some compond parts (like digital resistors) +are treated like base components. i.e. this sets a precedent for {\dcs}. + +\begin{itemize} + \item Look at OPAMP circuits, pick one (say $\mu$741) + \item Digital transistor perhaps, inside two resistors and a transistor. + \item outline a proposed FMMD analysis + \item Show FMD-91 OPAMP failure modes -- compare with FMMD +\end{itemize} + +The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors +(and for some types of resistors OPEN only). +FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. +Now a resistor will generally only suffer parameter change when over stressed. +EN298 stipulates down rating by 60\% to maximum stress +possible in a circuit. So even if you have a resistor that preliminary tells you would +never be subjected to say more than 5V, but there is say, a 24V rail +on the circuit, you have to choose resistors able to cope with the 24V +stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum +voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. +Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. + +\clearpage +Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. + + +\subsection{{\fgs} Sharing components and Hierarchy} + +With electronics we need to follow the signal path to make sense of failure modes +effects on other parts of the circuit further down that path. +%{\fgs} will naturally have to be in the position of starter +A power-supply is naturally first in a signal path (or failure reasoning path). +That is to say, if the power-supply is faulty, its failure modes are likely to affect +the {\fgs} that have to use it. + +This means that most electronic components should be placed higher in an FMMD +hierarchy than the power-supply. +A shorted de-coupling capactitor caused a `symptom' of the power-supply, +and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. +% to consider. + +If components can be shared between functional groups, this means that components +must be shareable between {\fgs} at different levels in the FMMD hierarchy. +This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown +in figure~\ref{fig:shared_component}. + +\begin{figure} + \centering + \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} + % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 + \caption{Optionally shared Component} + \label{fig:shared_component} +\end{figure} + +\subsection{Hierarchy and structure} +By having this structure, the logic circuit element, can accept failure modes from the +power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. +Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. +But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. + +\pagebreak[4] +\section{Defining the concept of `comparison~complexity' in FMEA} + +% +% DOMAIN == INPUTS +% RANGE == OUTPUTS +% + +When performing FMEA we have a system under investigation, which will +comprise of a collection of components which have associated failure modes. +The object of FMEA is to determine cause and effect: +from the failure modes (the causes) to the effects (or symptoms of failure). +% +To perform FMEA rigorously +we could stipulate that every failure mode must be checked for effects +against all the components in the system. +We could term this `rigorous~FMEA'~(RFMEA). +The number of checks we have to make to achieve this gives an indication of the complexity of the task. +% +We could term this `comparison~complexity', as it is the number of +paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. + + +% (except its self of course, that component is already considered to be in a failed state!). +% +Obviously, for a small number of components and failure modes we have a smaller number +of checks to make than for a complicated larger system. +% +We can consider the system as a large {\fg} of components. +We represent the number of components in the {\fg} $G$, by +$ | G | $ +(an indexing and sub-scripting notation to identify particular {\fgs} +within an FMMD hierarchy is given in section~\ref{sec:indexsub}). + +The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). +We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ + +If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express +the number of checks required to rigorously examine every +failure mode against all the other components in the system. +We can define this as a function, Comparison Complexity, $CC$, with its domain as the system +or {\fg}, $\FG$, and +its range as the number of checks to perform to satisfy a rigorous FMEA inspection. + +Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, +\begin{equation} +%$$ + CC:\mathcal{\FG} \rightarrow \mathbb{N}, +%$$ +\end{equation} + +and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes +in component ${c_i}$, is given by + +\begin{equation} +\label{eqn:CC} +%$$ + %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) + CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i). +%$$ +\end{equation} + +This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$); +equation~\ref{eqn:CC} becomes + +%$$ +\begin{equation} +\label{eqn:rd2} + CC(\FG) = K.(|\FG|-1). +\end{equation} +%$$ +%Equation~\ref{eqn:rd} can also be expressed as +% +% \begin{equation} +% \label{eqn:rd2} +% %$$ +% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} . +% %$$ +% \end{equation} +\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy} + +An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy. +In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to +all {\fgs} on each level. + +We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), +defined by + +\begin{equation} +%$$ +g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . +%$$ +\end{equation} + +Where $L$ represents the number of levels in the FMMD hierarchy, +$|g(\xi)|$ represents the number of functional groups on the level +and $H$ represents an FMMD hierarchy, +we overload the comparison complexity thus: +%$$ +\begin{equation} + \label{eqn:gf} + CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}). +%$$ +\end{equation} + + +\pagebreak[4] +\subsection{Complexity Comparison Examples} + +The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. +$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ + +Even considering a $fictitious$ system with just 81 components (with these components +having 3 failure modes each) we would have an $CC$ of + +$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ + +Ensuring all component failure modes are checked against all other components in a system +-- applying FMEA rigorously -- could be termed +Rigorous FMEA (RFMEA). +The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes). + +This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis +process are by-hand/human activities. It can be seen that it is practically impossible to achieve +RFMEA for anything but trivial systems. +% +% Next statement needs alot of justification +% +It is the authors belief that FMMD reduces the comparison complexity enough to make +rigorous checking feasible. + + +\pagebreak[4] +%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD} + +\begin{figure} + \centering + \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png} + % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385 + \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$} + \label{fig:three_tree} +\end{figure} + + + +\subsection{Comparing FMMD and RFMEA comparison complexity} + +Because components have variable numbers of failure modes, +and {\fgs} have variable numbers of components it is difficult to +use the general formula for comparing the number of checks to make for +RFMEA and FMMD. +If we were to create an example by fixing the number of components in a {\fg} +and the number of failure modes per component, we can derive formulae +to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to +all components in a system. + +Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), +$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and +$L$ to be the number of levels in the hierarchy of an FMMD analysis. +We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy +with equation~\ref{eqn:anscen}. + +\begin{equation} + \label{eqn:anscen} + \sum_{n=0}^{L} {k}^{n}.k.f.(k-1) +\end{equation} + +The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top -- +there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level. +The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ +checked against the remaining components in the {\fg} $(k-1)$. + +If, for the sake of example we fix the number of components in a {\fg} to three and +the number of failure modes per component to three, an FMMD hierarchy +would look like figure~\ref{fig:three_tree}. + +\subsection{Worked Example} + +Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. +Starting at the top, we have a {\fg} with three derived components, each of which has +three failure modes. +Thus the number of checks to make in the top level is $3^0.3.2.3=18$. +On the level below that, we have three {\fgs} each with a +an identical number of checks, $3^1.3.2.3=56$.%{\fg} +On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. +Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} +{\fgs}). + +If we were to take the system represented in figure~\ref{fig:three_tree}, and +apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC}, +$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3 +and $(|G|-1)$ is 26. +This gives: +$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. + +In order to get general equations with which to compare RFMEA with FMMD +we can re-write equation~\ref{eqn:CC} in terms of the number of levels +in an FMMD hierarchy. +% +The number of components in the system, is number of components +in a {\fg} raised to the power of the level plus one. +Thus we re-write equation~\ref{eqn:CC} as: + + +\begin{equation} + \label{eqn:fmea_state_exp21} + \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\ + %(N^2 - N).f +\end{equation} + +or + +\begin{equation} + \label{eqn:fmea_state_exp22} + k^{L+1}.(k^{L+1}-1).f \;. % \\ + %(N^2 - N).f +\end{equation} + +We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$) +the two approaches, for the work required to perform rigorous checking. + + +For instance, having four levels +of FMMD analysis, with these fixed numbers, +%(in addition to the top zeroth level) +will require 81 base level components. + +$$ +%\begin{equation} + \label{eqn:fmea_state_exp22} + 3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\ + %(N^2 - N).f +%\end{equation} +$$ + +$$ +%\begin{equation} + % \label{eqn:anscen} + \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 +%\end{equation} +$$ + +% \subsection{Exponential squared to Exponential} +% +% can I say that ? + +\section{Problems in choosing membership of functional groups} + +\subsection{Side Effects: A Problem for FMMD analysis} +A problem with modularising according to functionality is that we can have component failures that would +intuitively be associated with one {\fg} that may cause unintended side effects in other +{\fgs}. +For instance were we to have a component that on failing $SHORT$ could bring down +a voltage supply rail, this could have drastic consequences for other +functional groups in the system we are examining. + +\pagebreak[3] +\subsubsection{Example de-coupling capacitors in logic circuits} + +A good example of this, are de-coupling capacitors, often used +over the power supply pins of all chips in a digital logic circuit. +Were any of these capacitors to fail $SHORT$ they could bring down +the supply voltage to the other logic chips. + + +To a power-supply, shorted capacitors on the supply rails +are a potential source of the symptom, $SUPPLY\_SHORT$. +In a logic chip/digital circuit {\fg} open capacitors are a potential +source of symptoms caused by the failure mode $INTERFERENCE$. +So we have a `symptom' of the power-supply, and a `failure~mode' of + the logic chip to consider. + +A possible solution to this is to include the de-coupling capacitors +in the power-supply {\fg}. +% decision, could they be included in both places ???? +% I think so + + +Because the capacitor has two potential failure modes (EN298) +this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to +a power-supply module (but there might be additional noise on its output rails). +But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. + +Some logic chips are more susceptible to $INTERFERENCE$ than others. +A logic chip with de-coupling capacitor failing, may operate correctly +but interfere with other chips in the circuit. + +There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. +This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. +This allows functional groups to share components where necessary. +This does not break the modularity of the FMMD technique, because, as {\irl} +one component failure may affect more than one sub-system. +It does uncover a weakness in the FMMD methodology though. +It could be very easy to miss the side effect and include +the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. + + + +\section{Double Simultaneous Failures} + +The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. +However, some critical systems have to consider these type of eventualities. +The burner control industry has to consider double failures, as specified in European Norm +EN298~\cite{en298}. EN298 does not specifically state that +double simultaneous failures must be considered. What it does say is that +in the event of a lockout---a condition where an error has been detected and +the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. +% +This is slightly vague: there are so many possible component failures that could +cause a secondary failure, that it is very difficult not to interpret this +as meaning we have to cater for double simultaneous failures for the most critical sections +of a burner control system. +% +In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel +is not allowed to flow under an error condition. This would of course leave the possibility of +other more complex double failures tricking the controller into thinking the +combustion was actually safe when it was not. +% +It would be impractical to +perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. + +It has been shown that, for all but trivial small systems, double failure mode checking +is impossible from a practical perspective. +FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature +of choosing {\fgs} we will not (in the initial stages) be cross checking all possible +combinations of double failures in all the components. + +The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks +to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. +Consider a system which has four components $c_1 \ldots c_4$. +Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$. +Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$. + +We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group. +For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing +with failure mode $b$. We can express this as $c_2 a \cup c_1 b$. + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png} + % dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330 + \caption{Simultaneous Failure Mode Scenarios} + \label{fig:dubsim1} +\end{figure} + + + +From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined. +How do we model the double failures that occur across the {\fgs}, for instance +$c_4 a \cup c_1 a$. +It could be argued that because functional groups are chosen for their functionality, and re-usability +that component failures in one should not affect a different {\fg}, but this is a weak argument. +Merely double checking within {\fgs} would be marginally better than +only applying it to the most obvious critical elements of a system. + +What is really required is a way that all double simultaneous failures +are checked. + +One way of doing this is to apply double failure mode +checking to all {\fgs} higher up in the hierarchy. + +This guarantees to check the symptoms caused by the +failure modes in the other {\fgs} with the symptoms +derived from the other {\fgs} modelling for double failures. +% +By traversing down the tree we can automatically determine which +double simultaneous combinations have not been resolved. +% +By applying double simultaneous checking until no single failures +canlead to a top level event, we +double failure move coverage. + +To extend the example in figure~\ref{fig:dubsim1} we can map the failure +scenarios. +For Functional Group 1 (FG1), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S1 \\ + FS2 & \mapsto & S3 \\ + FS3 & \mapsto & S1 \\ + FS4 & \mapsto & S2 \\ + FS5 & \mapsto & S2 \\ + FS6 & \mapsto & S3 +\end{eqnarray*} + +Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$. + + +For Functional Group 2 (FG2), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S4 \\ + FS2 & \mapsto & S5 \\ + FS3 & \mapsto & S5 \\ + FS4 & \mapsto & S4 \\ + FS5 & \mapsto & S6 \\ + FS6 & \mapsto & S5 +\end{eqnarray*} + +%This AUTOMATIC check can reveal WHEN double checking no longer necessary +%in the hierarchy to cover dub sum !!!!! YESSSS + +\section{Example Analysis: Non-Inverting OPAMP} +Consider a non inverting op-amp designed to amplify +a small positive voltage (typical use would be a thermocouple amplifier +taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts). + + +\begin{figure}[h+] + \centering + \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png} + % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 + \label{fig:mvampcircuit} + \caption{positive mV amplifier circuit} +\end{figure} + +We can begin by looking for functional groups. +The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider. +So we can examine $\{ R1, R2 \}$ as a {\fg}. + + +\subsection{The Resistor in terms of failure modes} + +We can now determine how the resistors can fail. +According to GAS standard EN298 the failure modes to consider for resistors are OPEN and SHORT. + + +We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$. + + +We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider. +We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}). + + +\subsection{Analysing a potential divider in terms of failure modes} + + +\label{potdivfmmd} + + + +\begin{figure}[h+] + \centering + \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png} + % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 + \label{fig:pdcircuit} + \caption{Potential Divider Circuit} +\end{figure} + + +\begin{table}[h+] +\caption{Potential Divider: Single failure analysis} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ + \hline + FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ + FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline + FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ + FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline +\hline +\end{tabular} +\label{tbl:pd} +\end{table} + +We can now create a {\dc} for the potential divider, $PD$. + + $$ fm(PD) = \{ PDLow, PDHigh \}$$ + +Let use now consider the op-amp. According to +FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes: +latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). + + +\subsection{Analysing the non-inverting amplifier in terms of failure modes} + +$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ + + +We can now form a {\fg} with $PD$ and $OPAMP$. + +\begin{figure} + \centering + \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png} + % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369 + \label{fig:invampanalysis} +\end{figure} + + + + +\begin{table}[h+] +\caption{NIAMP: Single failure analysis} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\ + \hline + FS1: PD HIGH & & $LOW$ & & $Low$ \\ + FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline + FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\ + FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\ + FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\ + FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline + +\hline +\end{tabular} +\label{tbl:pd} +\end{table} + +We can collect symptoms from the analysis and create a derived component +to represent the non-inverting amplifier $NI\_AMP$. +We now have can express the failure mode behaviour of this type of amplifier thus: + +$$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$ + + + +\clearpage +\section{Inverting OPAMP} + +\label{sec:invamp} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{CH5_Examples/invamp.png} + % invamp.png: 378x207 pixel, 72dpi, 13.34x7.30 cm, bb=0 0 378 207 + \caption{Inverting Amplifier Configuration} + \label{fig:invamp} +\end{figure} + +%This configuration is interesting from methodology pers. +There are two obvious ways in which we can model this circuit: +One is to do this in two stages, by considering the gain resistors to be an inverted potential divider +and then combining it with the OPAMP failure mode model. +The second is to place all three components in a {\fg}. +Both approaches are followed in the next two sub-sections. + +\subsection{Inverting OPAMP using a Potential Divider {\dc}} + +We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative. +We want if possible to have detectable errors, HIGH and LOW are better than OUTOFRANGE. +If we can refine the operational states of the functional group, we can obtain clearer +symptoms. +If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}). + +\begin{table}[h+] +\caption{Inverted Potential divider: Single failure analysis} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Inverted Pot Div Effect} & & \textbf{Symptom} \\ + \hline + FS1: R1 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline + FS2: R1 OPEN & & $LOW$ & & $PDLow$ \\ \hline + FS3: R2 SHORT & & $LOW$ & & $PDLow$ \\ \hline + FS4: R2 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline +\hline +\end{tabular} +\label{tbl:pdneg} +\end{table} + +We can form a {\dc} from this, and call it an inverted potential divider $INVPD$. + +We can now form a {\fg} from the OPAMP and the $INVPD$ + +\begin{table}[h+] +\caption{Inverting Amplifier: Single failure analysis} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline + \hline + FS1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\ + FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\ + + FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline + + FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline + + FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline + + FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline +\hline +\end{tabular} +\label{tbl:invamppd} +\end{table} + + +This gives the same results as the analysis from figure~\ref{fig:invampanalysis}. + + + +%The differences are the root causes or component failure modes that +%lead to the symptoms (i.e. the symptoms are the same but causation tree will be different). + + $$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$ + + +\subsection{Inverting OPAMP analysing with three components in one {\fg}} + +%We can use this for a more general case, because we can examine the +%effects on the circuit for each operational case (i.e. input +ve +%or input -ve), see table~\ref{tbl:invamp}. +%Because symptom collection is defined as surjective (from component failure modes +%to symptoms) we cannot have a component failure mode that maps to two different symptoms (within a functional group). +%Note that here we have a more general symptom $ OUT OF RANGE $ which could mean either +%$HIGH$ or $LOW$ output. + +% 08feb2012 bugger considering -ve input. It complicates things. +% maybe do an ac amplifier later at some stage. + +\begin{table}[h+] +\caption{Inverting Amplifier: Single failure analysis: 3 components} +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline + \hline + FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\ + % FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline + + FS2: R1 OPEN & & zero output & & $ LOW $ \\ + % FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline + + FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\ + % FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline + + FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\ + % FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline + + FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline + + FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline + + FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline + + FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline +\hline +\end{tabular} +\label{tbl:invamp} +\end{table} + + +$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$ + + +%Much more general. OUT OF RANGE symptom maps to many component failure modes. +%Observability problem... system. In fact can we get a metric of how observable +%a system is using the ratio of component failure modes X op states to a symptom ???? +%Could further refine this if MTTF stats available for each component failure. + + + +%\clearpage + +\subsection{Comparison between the two approaches} +\label{sec:invampcc} +The first analysis looks at an inverted potential divider, analyses its failure modes, +and from this we obtain a {\dc} (INVPD). +We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD. + +The second analysis (3 components) has to look at the effects of each failure mode of each resistor +on the op-amp circuit. This is more to think about---or in other words an increase in the complexity of the analysis---than comparing the two known failure modes +from the pre-analysed inverted potential divider. The complexity comparison figures +bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ +and for the second analysis a CC of $8.(3-2)=16$. + +% CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012 + +%Again, for the two stage analysis, using equation~\ref{eqn:rd}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ +%and for the second analysis a CC of $8.(3-2)=16$. + + +%If the input voltage can be negative the potential divider +%becomes reversed in polarity. +%This means that detecting which failure mode has occurred from knowing the symptom, has become a more difficult task; or in other words +%the observability of the causes of failure are reduced. Instead of the more specific symptoms $HIGH$ or $LOW$ we +%obtain $OUT OF RANGE$ instead. + +\clearpage +\section{Op-Amp circuit 1} + +\begin{figure}[h] + \centering + \includegraphics[width=200pt]{CH5_Examples/circuit1001.png} + % circuit1001.png: 420x300 pixel, 72dpi, 14.82x10.58 cm, bb=0 0 420 300 + \caption{Circuit 1} + \label{fig:circuit1} +\end{figure} + + +The amplifier in figure~\ref{fig:circuit1} amplifies the difference between +the input voltages $+V1$ and $+V2$. +It would be desirable to represent this circuit as a derived component called say $DiffAMP$. +We begin by identifying functional groups from the components in the circuit. + + +\subsection{Functional Group: Potential Divider} +For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{potdivfmmd}. + +%R1 and R2 perform as a potential divider. +%Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A). +%$$ fm(R) = \{ OPEN, SHORT \}$$ + + + +% \begin{table}[ht] +% \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table +% \centering % used for centering table +% \begin{tabular}{||l|c|c|l|l||} +% \hline \hline +% \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\ +% \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% % R & wire & res + & res - & description +% \hline +% \hline +% TC1: $R_1$ SHORT & LOW & & LowPD \\ +% TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline +% TC3: $R_2$ SHORT & HIGH & & HighPD \\ +% TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline +% \hline +% \end{tabular} +% \label{tbl:pdfmea} +% \end{table} +% +% By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived +% component $PD$ to represent the failure mode behaviour +% of a potential divider. + +Thus for single failure modes, a potential divider can fail +with $fm(PD) = \{PDHigh,PDLow\}$. + + +The potential divider is used to program the gain of IC1. +IC1 and PD provide the function of buffering +/amplifying the signal $+V1$. +We can now examine IC1 and PD as a functional group. + +\pagebreak[3] +\subsection{Functional Group: Amplifier} + +Let use now consider the op-amp. According to +FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes: +latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). + + +$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ + + +By bringing the $PD$ derived component and the $OPAMP$ into +a functional group we can analyse its failure mode behaviour. + + +\begin{table}[ht] +\caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\ + TC2: $OPAMP$ LatchDown & Output Low : Low gain& & AMPLow \\ \hline + TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\ + TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline + TC5: $PD$ LowPD & Output High & & AMPHigh \\ \hline + TC6: $PD$ HighPD & Output Low : Low Gain& & AMPLow \\ \hline + %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline +\hline +\end{tabular} +\label{ampfmea} +\end{table} + + +Collecting the symptoms we can see that this amplifier fails +in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$. +We can now create a derived component, $NI\_AMP$, to represent it. + + +$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} $$ + + + + +\subsection{The second Stage of the amplifier} + +The second stage of this amplifier, following the signal path, is the amplifier +consisting of $R3,R4,IC2$. + +This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier. +The first amplifier was grounded and received as input `+V1' (presumably +a positive voltage). +This means the junction of R1 R3 is always +ve. +This means the input voltage `+V2' could be lower than this. +This means R3 R4 is not a potential divider with R4 being on the positive side. +It could be on either polarity (i.e. the other way around R4 could be the negative side). +Here it is more intuitive to model the resistors not as a potential divider, but individually. +%This means we are either going to +%get a high or low reading if R3 or R4 fail. + +\begin{table}[ht] +\caption{Second Amplifier $SEC\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\ + TC2: $OPAMP$ LatchDown & Output Low : Low gain & & AMPLow \\ \hline + TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\ + TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline + TC5: $R3\_open$ & +V2 follower & & AMPIncorrectOutput\\ \hline + TC6: $R3\_short$ & Undefined & & AMPIncorrectOutput \\ + & (impedance of IC1 vs +V2) & & \\ \hline + TC5: $R4\_open$ & High or Low output & & AMPIncorrectOutput \\ + & +V2$>$+V1 $\mapsto$ High & & \\ + & +V1$>$+V2 $\mapsto$ Low & & \\ \hline + TC6: $R4\_short$ & +V2 follower & & AMPIncorrectOutput \\ \hline + %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline +\hline +\end{tabular} +\label{ampfmea} +\end{table} + +Collecting the symptoms we can see that this amplifier fails +in 4 ways $\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$. +We can now create a derived component, $SEC\_AMP$, to represent it. + + +$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} $$ + + + +%Its failure modes are therefore the same. We can therefore re-use +%the derived component for $NI\_AMP$ + +\pagebreak[4] +\subsection{Modelling the circuit} + +For the final stage of this we can create a functional group consisting of +two derived components of the type $NI\_AMP$ and $SEC\_AMP$. + + + +\begin{table}[ht] +\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Dual Amplifier} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & & DiffAMPLow \\ + TC2: $NI\_AMP$ AMPLow & opamp 2 fdriven low & & DiffAMPHigh \\ + TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & & DiffAMP\_LP \\ \hline + TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & & DiffAMPHigh\\ + TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & & DiffAMPLow \\ + TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & & DiffAMP\_LP \\ \hline + TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & & DiffAMPIncorrect \\ + TC7: $SEC\_AMP$ & $ \neg (V2 - V1) $ & & \\ \hline +\hline +\end{tabular} +\label{ampfmea} +\end{table} + + + +Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. + + +We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}. + +$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP DiffAMPIncorrect\} $$ + + +Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag}) +of the failure modes and derived components. +Using this we can trace any top level fault back to +a component failure mode that could have caused it. +In fact we can re-construct an FTA diagram from the information in this graph. +We merely have to choose a top level event and work down using $XOR$ gates. + +This circuit performs poorly from a safety point of view. +Its failure modes could be indistinguishable from valid readings (especially +when it becomes a V2 follower). + +\begin{figure}[h] + \centering + \includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png} + % circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145 + \caption{Directed Acyclic Graph of Circuit1 failure modes} + \label{fig:circuit1_dag} +\end{figure} + + + + +\clearpage +\section{Op-Amp circuit 2} + + + \begin{figure}[h] + \centering + \includegraphics[width=200pt]{CH5_Examples/circuit2002.png} + % circuit2002.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331 + \caption{circuit 2} + \label{fig:circuit2} +\end{figure} + + + + +The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter. +Starting at the input, we have a first order low pass filter buffered by an op-amp, +the output of this is passed to a Sallen~Key~\cite{aoe}[p.267] second order lowpass filter. +The output of this is passed into another Sallen~Key filter -- which although it may have different values +for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective. +Thus we can analyse the first Sallen~Key low pass filter and re-use the results. + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/blockdiagramcircuit2.png} + % blockdiagramcircuit2.png: 689x83 pixel, 72dpi, 24.31x2.93 cm, bb=0 0 689 83 + \caption{Signal Flow though the five pole low pass filter} + \label{fig:blockdiagramcircuit2} +\end{figure} + + +\paragraph{First Order Low Pass Filter.} +\label{sec:lp} +We begin with the first order low pass filter formed by $R10$ and $C10$. +% +This configuration (or {\fg}) is very commonly +used in electronics to remove unwanted high frequencies/interference +form a signal; Here it is being used as a first stage of +a more sophisticated low pass filter. +% +R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being +that the impedance of the capacitor is lower for higher frequencies. +Thus higher frequencies are attenuated at the point that we +read its output signal. +However, from a failure mode perspective we can analyse it in a very similar way +to a potential divider (see section~\ref{potdivfmmd}). +Capacitors generally fail OPEN but some types fail OPEN and SHORT. +We will consider the latter type for this analysis. +We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\ + + +\begin{table}[h+] +\caption{FirstOrderLP: Failure Mode Effects Analysis: Single Faults} % title of Table +\label{tbl:firstorderlp} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\ + & & \textbf{Low Pass Filter} & & \\ + \hline + FS1: R10 SHORT & & $No Filtering$ & & $LPnofilter$ \\ \hline + FS2: R10 OPEN & & $No Signal$ & & $LPnosignal$ \\ \hline + FS3: C10 SHORT & & $No Signal$ & & $LPnosignal$ \\ \hline + FS4: C10 OPEN & & $No Filtering$ & & $LPnofilter$ \\ \hline + +\hline + +\end{tabular} +\end{table} + + +We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component +called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$ + +\paragraph{Addition of Buffer Amplifier: First stage.} + +The opamp IC1 is being used simply as a buffer. By placing it between the next stages +on the signal path we remove the possibility of unwanted signal feedback. +The buffer is one of the simplest op-amp configurations. +It has no other components, and so we can now form a {\fg} +from the $FirstOrderLP$ and the OPAMP component. + +\begin{table}[ht] +\caption{First Stage LP1: Failure Mode Effects Analysis: Single Faults} % title of Table +\label{tbl:firststage} +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $OPAMP$ LatchUP & Output High & & LP1High \\ + TC2: $OPAMP$ LatchDown & Output Low & & LP1Low \\ + TC3: $OPAMP$ No Operation & Output Low & & LP1Low \\ + TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & LP1filterincorrect \\ \hline + TC5: $LPnofilter $ & No low pass filtering & & LP1filterincorrect \\ + TC6: $LPnosignal $ & No input signal & & LP1nosignal \\ \hline + \hline + +\hline +\end{tabular} + +\end{table} + +From the table~\ref{tbl:firststage} we can see three symptoms of failure of +the first stage of this circuit (i.e. R10,C10,IC1). +We can create a derived component for it, lets call it $LP1$. + +$$ fm(LP1) = \{ LP1High, LP1Low, LP1filterincorrect, LP1nosignal \} $$ + + +In terms terms of the circuit we have modelled the functional groups $FirstOrderLP$, and +$LP1$. We can represent these on the circuit diagram by drawing contours around the components +on the schematic as in figure~\ref{fig:circuit2002_LP1}. + +\begin{figure}[h] + \centering + \includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/circuit2002_LP1.png} + % circuit2002_LP1.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331 + \caption{Circuit showing functional groups modelled so far.} + \label{fig:circuit2002_LP1} +\end{figure} + + +\paragraph{Second order Sallen Key Low Pass Filter.} +The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3. +From a failure mode perspective these are identical. +We can analyse the first one and then re-use these results for the second. + +\begin{table}[ht] +\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $OPAMP$ LatchUP & Output High & & SKLPHigh \\ + TC2: $OPAMP$ LatchDown & Output Low & & SKLPLow \\ + TC3: $OPAMP$ No Operation & Output Low & & SKLPLow \\ + TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & SKLPfilterIncorrect \\ \hline + TC5: R1 OPEN & No input signal & & SKLPfilterIncorrect \\ + TC6: R1 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline + + TC7: R2 OPEN & No input signal & & SKLPnosignal \\ + TC8: R2 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline + + TC9: C1 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect\\ + TC10: C1 SHORT & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline + + TC11: C2 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\ + TC12: C2 SHORT & No input signal, low signal & & SKLPnosignal \\ \hline + \hline +\hline +\end{tabular} +\label{tbl:sallenkeylp} +\end{table} + + + + + + +We now can create a derived component to represent the Sallen Key low pass filter, which we can call $SKLP$. + + +$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$ + + +\paragraph{A failure mode model of Op-Amp Circuit 2.} + +We now have {\dcs} representing the three stages of this filter +and this follows the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}). + + + + +As the signal has to pass though each block/stage +in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg} +in order to get a failure mode model for the whole circuit. +We can index the Sallen Key stages, and these are marked on the ciruit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}. + +\begin{figure}[h]+ + \centering + \includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png} + % circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331 + \caption{Functional Groups in Five Pole Low Pass Filter on schematic} + \label{fig:circuit2002_FIVEPOLE} +\end{figure} + +\pagebreak[4] + +So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$. +We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}. + + +\begin{figure}[h]+ + \centering + \includegraphics[width=300pt]{CH5_Examples/circuit2h.png} + % circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603 + \caption{FMMD Hierarchy for five pole Low Pass Filter} + \label{fig:circuit2h} +\end{figure} + +%\pagebreak[4] + + + + + + + +%$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$ +%$$ fm(LP1) = \{ LP1High, LP1Low, LP1ExtraLowPass, LP1NoLowPass \} $$ + +\begin{table}[ht]+ +\caption{Five Pole Low Pass Filter: Failure Mode Effects Analysis: Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|l|l|l||} +\hline \hline + \textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\ + \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC1: $LP1$ LP1High & signal HIGH & & HIGH \\ + TC2: $LP1$ SKLPLow & signal LOW & & LOW \\ + TC3: $LP1$ LP1filterIncorrect & filtering incorrect & & FilterIncorrect \\ + TC4: $LP1$ LP1nosignal & no signal propagated & & NO\_SIGNAL \\ \hline + + + + TC5: $SKLP_1$ High & signal HIGH & & HIGH \\ + TC6: $SKLP_1$ Low & signal LOW & & LOW \\ + TC7: $SKLP_1$ filterIncorrect & filtering incorrect & & FilterIncorrect \\ + TC8: $SKLP_1$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline + + + TC9: $SKLP_2$ High & signal HIGH & & HIGH \\ + TC10: $SKLP_2$ Low & signal LOW & & LOW \\ + TC11: $SKLP_2$ filterIncorrect & filtering incorrect & & FilterIncorrect \\ + TC12: $SKLP_2$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline + + \hline +\hline +\end{tabular} +\label{tbl:fivepole} +\end{table} + +We now can create a {\dc} to represent the circuit in figure~\ref{fig:circuit2}, we can call it +$FivePoleLP$ and applying the $fm$ function to it (see table~\ref{tbl:fivepole}) yields $fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}$. + + +\pagebreak[4] + +The failure modes for the low pass filters are very similar, and the propogation of the signal +is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) -- +three opamp driven non-inverting low pass filter elements; It is not suprising therefore that they have very similar failure modes. +From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$ +could be easily detected; the failure symptom $FilterIncorrect$ may be less observable. + + + +\clearpage +\section{Op-Amp circuit 3} + + \begin{figure}[h] + \centering + \includegraphics[width=200pt]{CH5_Examples/circuit3003.png} + % circuit3003.png: 503x326 pixel, 72dpi, 17.74x11.50 cm, bb=0 0 503 326 +\caption{Circuit 3} + \label{fig:circuit3} +\end{figure} + +%\clearpage +%\section{Standard Non-inverting OP AMP} + +This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37]. +The circuit uses four 45 degree phase shifts, and an inverting amplifier to provide +gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift). + +From a fault finding perspective this circuit is less than ideal. +The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating. +%The top level failure modes for the FMMD hierarchy bear this out. +%However, FMMD is a bottom -up analysis methodology and we can therefore still identify +%{\fgs} and apply analysis from a failure mode perspective. +% +If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with +($4.4 +10.2 = 36$) failure modes. + +Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$. +We now create FMMD models and compare the complexity of FMMD and FMEA. + +We apply FMMD and start by determining {\fgs}. +We initially identify three types functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}), +a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer +amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively. +We can use these {\fgs} to describe the circuit in block diagram form with arrows indicating the signal path, in figure~\ref{fig:bubbablock}. + +\begin{figure}[h] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png} + % bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295 + \caption{Circuit 3: Functional Group Block Diagram.} + \label{fig:bubbablock} +\end{figure} + +We can now analyse each of these {\fgs} and create failure mode models for them, and from these +determine {\dcs}. + +\subsection{Inverting Amplifier: INVAMP} +This has been analysed in section~\ref{sec:invamp}. +The inverting amplifier, as a {\dc}, has the following failure modes: + +$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$ + +and has a CC of 10. + + +\subsection{Phase shifter: PHS45} + +This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ -- +we now need to see how these failure modes would affect the phase shifter. Note that the circuit here +is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different. +We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}. + + +\begin{table}[h+] +\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table +\label{tbl:firstorderlp} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\ + & & \textbf{Low Pass Filter} & & \\ + \hline + FS1: R SHORT & & 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline + FS2: R OPEN & & No Signal & & $nosignal$ \\ \hline + FS3: C SHORT & & Grounded,No Signal & & $nosignal$ \\ \hline + FS4: C OPEN & & 0 degree's of phase shift & & $0\_phaseshift$ \\ \hline + +\hline + +\end{tabular} +\end{table} +% PHS45 + + +$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$ + +$$ CC(PHS45) = 4.1 = 4 $$ + +\subsection{Non Inverting Buffer: NIBUFF.} + +The non-inverting buffer functional group, is comprised of one component, an op-amp. +We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group. +% GARK +$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ + +Because we obtain the failure modes for $NIBUFF$ from the literature +its comparison complexity is zero. +$$ CC(NIBUFF) = 0 $$ +%\subsection{Forming a functional group from the PHS45 and NIBUFF.} + +% describe what we are doing, a buffered 45 degree phase shift element + +\subsection{Bringing the functional Groups Together: FMMD model of the `Bubba' Oscillator.} + +We could at this point bring all the {\dcs} together into one large functional +group (see figure~\ref{fig:poss1finalbubba}) +or we could try to merge smaller stages. +Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy. + + + +\subsection{FMMD Analysis using initially identified functional groups} + +\begin{figure}[h+] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png} + % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390 + \caption{Bubba Oscillator: One final large functional group.} + \label{fig:poss1finalbubba} +\end{figure} + + +\begin{table}[h+] +\caption{Bubba Oscillator: Failure Mode Effects Analysis: One Large Functional Group} % title of Table +\label{tbl:bubbalargefg} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{Bubba} & & \textbf{Symptom} \\ + & & \textbf{Oscillator} & & \\ + \hline + + + FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline + + FS4: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ + FS5: $NIBUFF_1$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS6: $NIBUFF_1$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline + + FS8: $PHS45_2$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ + FS9: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS10: $PHS45_2$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline + + + FS11: $NIBUFF_2$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ + FS12: $NIBUFF_2$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS13: $NIBUFF_2$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS14: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline + + FS15: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ + FS16: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline + + FS18: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ + FS19: $NIBUFF_3$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS20: $NIBUFF_3$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ + FS21: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline + + FS22: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ + FS23: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline + + FS25: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\ + FS26: $INVAMP$ $ZEROOUTPUT$ & & signal lost & & $NO_{osc}$ \\ + FS27: $INVAMP$ $NOGAIN$ & & signal lost & & $NO_{osc}$ \\ + FS28: $INVAMP$ $LOWPASS$ & & signal lost & & $NO_{osc}$ \\ \hline + + + % FS1: $CAP_{10nF}$ $OPEN$ & & osc frequency low & & $LO_{fosc}$ \\ \hline + % FS1: $CAP_{10nF}$ $SHORT$ & & osc frequency low & & $LO_{fosc}$ \\ \hline +\hline + +\end{tabular} +\end{table} + + +Collecting symptoms from table~\ref{tbl:bubbalargefg} we can show that for single failure modes, applying $fm$ to the bubba oscillator +returns three failure modes, + +$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$ + +For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}. +$$ CC = 28.8 = 224$$ + +To obtain the total comparison complexity $TCC$, we need to add the complexity from the +{\dcs} that $BubbaOscillator$ was built from. + +$$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$ + +%As we have re-used the analysis for BUFF45 we could even reasonably remove +%$3.4=12$ from this result, because the results from $BUFF45$ have been used four times. +Traditional FMEA would have lead us to a much higher comparison complexity +of $468$ failure modes to check against components. +The analysis here appears top-heavy; we should be able to refine the model more +and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully +this should lead a further reduction in the complexity comparison figure. + + + +\clearpage + +\subsection{FMMD Analysis using more hierarchical stages} + +The example above---from the initial {\fgs}---used one very large functional group to model the circuit. +This mean a quite large comparison complexity for this final stage. +We should be able to determine smaller {\fgs} and refine the model further. + +\begin{figure}[h+] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss2finalbubba.png} + % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390 + \caption{Bubba Oscillator: Smaller Functional Groups, One more FMMD hierarchy stage.} + \label{fig:poss2finalbubba} +\end{figure} + + +% +We take the $NIBUFF$ and $PHS45$ +{\dcs} into a {\fg} giving the {\dc} $BUFF45$. + $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter. +and with those three, form a $PHS135BUFFERED$ +functional group. +$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter. + +A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.}, form a {\fg} +providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$. + +%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$--- +Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~\ref{fig:poss2finalbubba}) + + + +%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45) +%we can combine three $BUFF45$'s to make +%a $135^{\circ}$ buffer phase shifter (PHS135BUFFERED). + +%We can combine a $PHS45$ and a $NIBUFF$ to create +%and an amplifying $225^{\circ}$ phase shifter (PHS225AMP). + +% By combining PHS225AMP and PHS135BUFFERED we can create a more modularised hierarchical +% model of the bubba oscillator. +% The proposed hierarchy is shown in figure~\ref{fig:poss2finalbubba}. + + +\begin{table}[h+] +\caption{BUFF45: Failure Mode Effects Analysis} % title of Table +\label{tbl:buff45} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{BUFF45} & & \textbf{Symptom} \\ + & & & & \\ + \hline + FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline + + FS4: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\ + FS5: $NIBUFF_1$ $L_{dn}$ & & output low & & $NO_{signal}$ \\ + FS6: $NIBUFF_1$ $N_{oop}$ & & output low & & $NO_{signal}$ \\ + FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline + + +\hline + +\end{tabular} +\end{table} + + +Collecting symptoms from table~\ref{tbl:buff45}, we can create a derived component $BUFF45$ which has the following failure modes: +$$ +fm (BUFF45) = \{ 90\_phaseshift, 0\_phaseshift, NO\_signal .\} +$$ + +$$ CC(BUFF45) = 7.1 = 7 $$ + +We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}. + + +\begin{table}[h+] +\caption{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table +\label{tbl:phs135buffered} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{PHS135 Buffered} & & \textbf{Symptom} \\ + & & & & \\ + \hline + FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline + + FS4: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ + FS5: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline + + FS7: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ + FS8: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline + + + +\hline + +\end{tabular} +\end{table} + + +Collecting symptoms from table~\ref{tbl:phs135buffered}, we can create a derived component $PHS135BUFFERED$ which has the following failure modes: +$$ +fm (PHS135BUFFERED) = \{ 90\_phaseshift, 180\_phaseshift, NO\_signal .\} +$$ + + +$$ CC (PHS135BUFFERED) = 3.2 = 6 $$ + + + +The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift). + +\begin{table}[h+] +\caption{PHS225AMP: Failure Mode Effects Analysis} % title of Table +\label{tbl:phs225amp} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{PHS225AMP} & & \textbf{Symptom} \\ + & & \textbf{Oscillator} & & \\ + \hline + FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $270\_phaseshift$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline + + FS4: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\ + FS5: $INVAMP$ $L_{dn}$ & & output low & & $NO_{signal}$ \\ + FS6: $INVAMP$ $N_{oop}$ & & output low & & $NO_{signal}$ \\ + FS7: $INVAMP$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline + +\hline + +\end{tabular} +\end{table} + +Collecting symptoms from table~\ref{tbl:phs225amp}, we can create a derived component $PHS225AMP$ which has the following failure modes: +$$ +fm (PHS225AMP) = \{ 270\_phaseshift, 180\_phaseshift, NO\_signal .\} +$$ + +$$ CC(PHS225AMP) = 7.1 $$ + +The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift). + + + +To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together +and perform FMEA with these. + +\begin{table}[h+] +\caption{BUBBAOSC: Failure Mode Effects Analysis} % title of Table +\label{tbl:bubba2} + +\begin{tabular}{|| l | l | c | c | l ||} \hline + \textbf{Failure Scenario} & & \textbf{BUBBAOSC} & & \textbf{Symptom} \\ + & & & & \\ + \hline + FS1: $PHS135BUFFERED$ $180\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\ + FS2: $PHS135BUFFERED$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS3: $PHS135BUFFERED$ $90\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ \hline + + FS4: $PHS225AMP$ $270\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\ + FS5: $PHS225AMP$ $180\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ + FS6: $PHS225AMP$ $NO\_signal$ & & lost signal & & $NO_{signal}$ \\ \hline + + +\hline + +\end{tabular} +\end{table} + + +Collecting symptoms from table~\ref{tbl:bubba2}, we can create a derived component $BUBBAOSC$ which has the following failure modes: +$$ +fm (BUBBAOSC) = \{ LO_{fosc}, HI_{osc}, NO\_signal .\} +$$ + +%We could trace the DAGs here and ensure that both analysis strategies worked ok..... + +$$ CC(BUBBAOSC) = 6.(2-1) = 6 $$ + + +We can now add the comparison complexities for all levels of the analysis represented in figure~\ref{fig:poss2finalbubba}. +We have at the lowest level two $PHS45$ {\dcs} giving a CC of 8 and $INVAMP$ with a CC of 10, at the next level four $BUFF45$ {\dcs} giving $(4-1).7=21$, +and penultimately $PHS135BUFFERED$ with 6 and $PHS225AMP$ with 7. The final top stage of the hierarchy, $BUBBAOSC$ has a CC of 6. +Our total comparison complexity is $58$, this contrasts with $468$ for traditional `flat' FMEA, +and $250$ for our first stage functional groups analysis. +This has meant a drastic reduction in the number of failure-modes to check against components. +It has also given us five {\dcs}, building blocks, which may be re-used for similar circuitry +to analyse in the future. + + +\subsection{Comparing both approaches} + +In general with large functional groups the comparison complexity +is higher, by an order of $O(N^2)$. +Smaller functional groups mean less by-hand checks are required. +It also means a more finely grained model. This means that +there are more {\dcs} and this increases the possibility of re-use. +The more we can modularise, the more we decimate the $O(N^2)$ effect +of complexity comparison. + diff --git a/thesis_submission/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/discussion_doc.tex similarity index 100% rename from thesis_submission/CH5_Examples/copy.tex rename to submission_thesis/CH5_Examples/discussion_doc.tex diff --git a/submission_thesis/CH5_Examples/lm258pinout.jpg b/submission_thesis/CH5_Examples/lm258pinout.jpg new file mode 100644 index 0000000000000000000000000000000000000000..40a8a098c8fe58ba49dfc1aecdcf5481d9cb8219 GIT binary patch literal 19408 zcmcG#byS zmtc>*&$;*QeaF4$zVpXh8Dotk>swiK<(q4MbI#vy-cR2z0f^*fS5a8kx(2^39 z(*C#G{civg57#>n|UebEHF z#>8jU)Q&RoX@7HacKex7RsCm#`Sk}47yrQ6y1(N*ypmFCrse@Z+B?)ua&iwJ)*<_s z_5V|he@I74{6D4oAJW~=0-j+$2tkZV3=jv*ScZHL3BmpUvumkOF8Dml2GSnhR2ze9 z)}l!!f96~x#v2=r&MI8*0WnHwgZjVy4+!-cGr; z>TOB!#*@gh6oRO!=HQ{Tg@R*#HcdN_-B+D|6i$^G88)kLIy%r`S*HZeP% z2hV@swAWi~rm>0Km2X-%A3VTZ(Hw298Z--$+QbiP&Z!cQ)c$!S&S2Jvot+a~qvzc< z1}Y?D&&kevcA}5FCkukmfV{8mbr(lS`kSM7_Nnt!BGuaEcMWI~vX3BXBaO%Hc$iI+ zJWCkURMVoVqNJ3;@q%GjP=(~_cWmsx5MI46dReJ=iWnn1L?T6Opou;?3)5r=t1tI2 zitkj{O8N(mh(@Yhv&ou}$Y(Rb0p(Hp1dw1?{AwCy{(HTzB zxT_p2-y~Xj&iBXLDQHnthvJkncS%1R1@@sp$ z9bT7pTH{WRBh#crT0Nbp#(|SSrpYVULIK&a!ovtEvvfi4QaiJ{&8ngqmyLeTdL5E__~{AZCQJg(xzQu5s8T8P4{$1}lBd{p>QNF_s9c5VDl`%|78lISbf$%cE)Q5|hw1I-gXD(bB4Nw*K8Kl9^w}GJ10EvBOWY z@^cD~r>VW4jOlGb&?K@nr#vO>VF>|mo1HXP+CyiHGxNOqD_YjbItN4d2~jFkx_E@P z{HADri}?U`P5u2^%`xZFhA(QvK{&}t<{$=qvEafq%Ny55`@Yh%Uju_DQ46;9t|Mx4 zZ+YrC;{67U9YEnvCQqv)dCD3cFYu;OXM`{IH3myH!9BX&rxPx9JpgDTkm zQsIdafICtvad=qLsE8F9k+C(dY2TL5;Sa8R!BmF_F@o|v^WO_%P|IJuHCCdYGTuO~>j@BVB{^1*p{}(n`E^saj64I< z2MWzco#kv9!8N-tSCGs10P-f2;}O2wFSCxq%Y{1$PFsk45`LdZciNm8dMwJ>i&ztw zz;f)FPu-l3_|5a;of)E^*Xh~(mx-TZ^V6#ngo@=uir=nVx;S+lZivviGgjfThy`uO zIxkAAsC}zM7QeNmhbBPJG`Dh~gd9JF-eJs)AV(%uT6Jm3IKY!Op4avXyB6h{w(aGy z!eHONBt?DE21M)Zm@+)pdn-JNn24AdAia9C${HWypxx3jSpV2!i1J06uyJZ@~q!%PLF?Yik8I${;1skOK@=klOL7U^mIguTI<`dxhmCgA%v8TzxW%~7u^X|t!OVdq)#)dwa_fXuK_j%HtTz4 zqrhah3l$1WVva1h4ikmYKLdpm(FQ{O)&5=OTZ~IcSaj7m3dLw2~6EA25K|#BY zdBkGL#c~F6U#PaayC+65Xe7T9!caRJcn&M`!3>!}?RLv(Mfs-eJZPiA0Aet(sx~d; z*JeX4iNu)P>C`B1HT{o`R1N!%uyHA3Wnje zs>jucC4c)n3Ad!&1Q3J*(rn$ttoXR#%5GO6@$3NE>;WWC3I&oy_@*vnL?u}%9Q8Bp zPIqW4bM#G3fEUy1qF#F=ohX;kHUs<}PPa);8!GVXDt8);Hr<5W0}^V`xIAI(PgZb3 z;q{GoPallL8I?t%M=oQ9JsGfu4ckS}rJ)fP((ue2oh0z2hrQY)-JS^M+43yQr;>j!JXjlh)jRPMwfimVWzH z6o1>wU99)oZga%C1f)L){$Qj$Yk{l%j6;|>jnI_t`>DjmgN2aZY@AY^-6V9;qxzZ2i}EL}N3QJz+n@!ACWEx>!ufDKF2mASL%XRR$yD z4&Z#6fXN=2XI!pn6s7CbV!jMDvVv>aHheNJ3@@xr$Z%(Dpx^Qr#l`(F@b@Hs`F!zP zmsJhb#G)`KuYzO!BE!Pm>-8tW8&ly48i z4YXr}N)QQe7udqrjOl|Ke_N)xJq1NL@-dsjj4UlE*p}PWUTGA z6Y9$8K|uILE0;a3Bb+-xU1LH=$B5TJUG+CQ89l?AXTyy`1eQm~PS4fkM|HPiz4VV= zO^{xWnJH8DP1l?URUFN&*|_n8VdR=urV^u=KcFD+`9d$Fu39s;Fa3#_IO8BD%#V|eNFq3Cs>D;sCDkg#STb6mUcDc?=4KW&W#xv&8nd}Ct2$zF&i81k1 zb1d>`7g`Aam;v{HJX>Z3>uodte0h(e4a-;6?`7wwc)qJ-U1auq z1lq~D9PX!@4R5{-#9w{Ud%$x#l-r_!XBsilHQbA-Qaf2SYdO7r;ksA59*YD97&~>U zdNj`$*$yLAdCexPCU~)P>>XX82QK^--}f4kdelsg11fayheo0_Y{u1K*~*RjhP3+I zo=x*BOHUjhf=QBCWSKg}95Xm!`$@V#JneLX`w8{m%f-#SPb9*@)WNONg?}?h!7%Qu+4x$h|@{yr0~izPv`QS4o0hy8k#EBB}qE@}t8T za1OJ~#&d} zUp@)ZT3{k`#6^HIXL;$BboF|S&Rn(EFKZn}oOT%*3c{|HTzBz6ANtN+hEnhB>TA{K zO}}>QfXTx?zosXvkbVQN3~>Was9uuVLiuuKEvC&c=HKtgObG0?qEV`_! z*aMiF48A60zp!=WUa#u<=qRd8NB8HngiOQjP|W4BVkB%{Jh4Dx!-9K_8IHtt`k?ar z%WrQalHy{w+vmF1Nqo)02do$3pMyR^!jJW%uBhqKbS^px-!5#f9lV39J9f!gfc=|v z8?4GBY*ZSaGhubp0gW8j{otGSG;m=L3qmrZg6>Cmi$gbMl!Q!%Z=C8yTfMN89@Bk6 z@}zlV_D~sVd#SAb$l&*@arF{1i9y~**A~+cAO+`8ix2Kf+C3oUiy`->9?T+T?x-o9 z1!2Rjah0a^bXxyaa5ldPnB-4c!YTBw{OO()nO5jr8jAY&{#9fG9G28@wgYWiCKG`^ z%8#l*B(T(aH}ldn(J7~0$H@$sHafp%?&Cc)X(cHc@w9H-fV6(;Q4R3 zeiErI>ii{Xm(+NDM!n$U)17e*gX@EW&ft5%(|;<1^}{uTw5%cMTZcE( z)9^v?JzyY5SJd2|v>d0y_i;^DW_V4gn|Iof%G?p?a@Z>Fzv;gI<8emT?8HZGJ@ED& z0xBo1;#a4)_U6QDRh_g%M~jCy!( zla|%DPvBSQ!}PS?I@uOeHZ@vDa==e}zMAB^snrg>iQGe@EB3F0cHgkOJ-rl6Nl+X= zt(O0NeQMUKWX1UPld$WBl>u8~qFV(@cGJfh^`8Y;o&jdkkS>{}&Pb&B*>*0~3;ZrlUD!Bnx8&Z6?KcbtZE|E z_#}P#73#|79~XFZ;g2kF4IR8*r9PmQ0p; z@MeC{jsF+7S{myJBW9tBma5lDflSisK%LZI-h+n9kn#W)dD=h(dA?IvuD&sULAuUf z9bu3eK%G1l;b!MjSbLd7`&o*XX+lM3*taq1dAuGFxah{sEooOK%G9Wf3km(|BpFc>#faR9>?{T!;`-iX~Q z>d_;n;il@&&@X*ET4R-7=^M-mPv(~vXeerhb7KLRx--+(;~M-pNK~B%*-E$f8tb!i z_cxY1igXNSyauGPADnpiBO^_6gsrS*7>5gknU7`MBuqEB3f;7~cWo#XlxX7b0k1>< zrm9mq9C{{8!c5)VFw4#-{qc#y84U!R#Tp#>j65=%o+{MkP}Paa@Fmml=&l-Zh?<0O z?8!!?|Ev@y!f9(ZUNe*~sGT#7J#s0j({Q4x9+oN1vU@{t4r@P;p(if)Peu!cUE%XcGF z6EoNMfRhLFq|Fj5A~7vU_sboQQZZ@LD?DnhO3sxX;i-PY^gTW3gK0FwDb3(Dhww?j z>d@pGa&6yYV_5G^Hnn~4iwgRbpN>t*y-YAMK8GSWR?F6w z1&3#WVia}zOK+gdGxep*ogN%MR~&oz{-3eUS^s2fi298dj{$-^EW7S?&%> z#8bXx)~XU?kO6yd&Y;F30djur-`Y$Q(Z8hHm})=u8V>mD{>Ag#;lQ57ta0()J)z*A zNVrW5Y&0vsbYHEJuk?#C-0h}Q z-(C8~tDT>C+e>gR8)_5m>|w{g$Gt=ioT16xHV5_MTdupWynX4`&Vy#OH@$-P73q@; z1=sAjs|nf${cn#f?6TWd1@36y6qz=eQS|BQgE{@mlao`$2hwE(BEM77LfiDqJ>9<* z6hPA-^9ejy=od(tT6_Sx;m^)He)cK_mX~X&SO!Hq7suGYGNCvNbJb|Cqf#SCYQ-lxxGws|KqZRY9v`x+VFDbaaZ$pi?6#;9#$TF>wCglb{fLM=)4cZJ`NBu^QHQfj>1DeXu`@&OG zQ^>g;OKsV0cx$t*e(l%mJ|w9j^}zb&X)7L`cKY6$>x`Gjb?5-WvfA+#9o|t^34Ai) zj=14=yj8!>ekOoE%F<0(7-{x=Ej1@o=#%)e{Mow2zR88On|F%m!xYWK^JXId@My9!gOjw#jD2R}c+HYnzuc2#Wo z{$9KL{gr)|Zj7Zs)qI9={YU$ae;eFUBN?TZq&_iU{#vnm48Oc?E^5yvG|Dn2eXwcB zaPZp36$1jg+?mkv{Buw}Ipxvd%xp{LnNoyaBKpZ<`!kc!)=iB^!eBuloVGzF5y1iO z4Q4IREGxx_@IK$Bp~@lNZ}sDjMEMlx>dzYDw0~{doXCbmC8kPk?Jn6wfWGcs4ss0}(ZGW%oO7|Qw%8p*nfgYcY9OTu1sxE$W*fT@6L!Mjn;C?mZo z5|et(^?|~&##%Ftao)OCl6M~Vc`h>Cv@_Gsi54$*zja|<7^fbU6r9Y3~O z8+WPbo=V2+_(j^5d}|Xlw+Z8>OQ5DH1N$L8CvO+mr=`f?{D0jE_+2{fV0hXveeQ+~ zQZP?dCw2UQmzWw{eQBUi_Pl;N*o|`LY0p1=nU`&y3NHjt{BrRvJ>bfCb@P54uY->= zkh&5UDx`|B%3e$6T`tR>#g3@*Kc_$L0Yq%lnS~Ac=E5CDJZh0=)gZ>9cIC|Bdw^64 zSWQIXLixn^7UQOOXXB%Kf+gcR)H?Ui%c3ep!K3+O!U>>`E@bQrog)a+y0k~*5{>)R zcA&B6w}Vi49y=X-t47Z(6~}X+TJf&g`M0l_Q*E`tKLyCVm$hTkf2eT`T*~YxKx33U zy8#htoDKQ~4%n@_7d;!5t}M9(J+J!v$`)w^A8&>)TCptznmVN<2)!xlZ(}TEdKxBE z=~GZxw~xOk)XFFKCEq>j_xyS7tn+Js7k$U8Q?c|v9_1Vv>F(rgWgNtnX0GV&@z32G z!EmH=Zu|iL?(p8q!t?S!4|^}r=Sr3Cd4W%JG<=h=N|h!D&Jj(M)1kBaMt?ym+I77> zAfb885_;n~6=(penj?_om=z%G#RjKqTg|TG+~ z(@_>Zp!L$mPV6^cD|!1P$*(I3?hqJX_eX^>^6mol-)wX8kdcy|j%a*Q@7l@_(!_Z$ zBVbwg` zay$Y7nS^Jmw4HGJNUQ{4!)Ei-*~HX$>UpZ6FZYiB&TP`30>=-2H$<{cd|4BZ_vomF zwg^Ym8JclX6>v@@a$7jPsE7xxN4ts}f` zCfi8m>x;cIDE$Ea&?R~<7D&;%lV=#&oinGobUeMZzy*JrW0^gCA==;1h)s@s>@x(XxfRT|!UC~7E zN3MHb3UkOx3GhFBef`s}wk|?KoLYg${VqQA4N1f>&gb->-mRhFWO4#ANo!- zsPg;miPj8gxn)WlrOBG3Vbd_m8|B66>}fdKOR0O_;OQ^gzEJ5d`J<|)+vP>T!BiVx z&;eKU!kjSn*9LIooex5RzrF!fpo@l-NDzH2y-|bCHK1Poh3mMM=J#Z1@Qya+yEc`3 z6jO~cwMt}V&EikhRG7N5Ee?uS!d3&P5;cW#@C#zor&k%h^Lv%)-IDgM4S(annj>$Y z>W8o$D6Z%|cJmB6(E-C}*=Fn$X4og2@;j{GG6{RV2Xp_fjrHb%pwXZ#$JGd@>dufE zs^dOgYI%4<(;PL4-~L$F)+(qMtFg%gnZ<(KZ49G_I%!gYhAMYj3{j%Cyc`NEKZkN+ zN|RZ-8BIaIHhF*3=0|<@-W}?GK~wNJzY&Jiaca;o02$~R=sBh;h#V&b?KSY`e8k8E zU^c~P|1-P(f9(c+-kQ4TU;G}l#7bFEfJC0Z|AKi3&LMX@5++K_XrO^IVYrvL-D-Ww zIO8DlPg*f*a!a`fY!Pm#XuZ#OPdrF_i2Kl(S3k!KGJ@Rr$rmgeRu)0;DJR1$!>vvH zhGp)CV#;F%Xe6338|b6GdtP0p_%zKgXe1-fZB+1L6~I3{yR{4<>grKbkMX$+8judI zPZOQ(>Bf(xvj@JRD>%v*uxD9!uHG){d_I?%I^|=r3~KIYcO5E_FJW)-OFkmN2{+Nu zC)AUaH7}@Dz0x6Lf_v*XPogpCd+xIJ_wh3fmz8~iH|-aG4;ePrLh;;yqQ4^EPODjQ zdigEAV3@u=LE~qH+S}L?rz*I8>OnMK_*`ow3L?ZTA;@>^&iK=OD7#Ld?eM1l^P-jI ziz$SPljSvOKPYwNTxLJl#-<*!=y$GvRS{j*Xj?#9wzPAJqHteN2ud|ohmycvO}yHr zGI0^t2NoI;$Tv9!IrlFmg7L3imO(Sxy4#Qk;n}{X2D{}w^j}mzZ(se}ICgL{f zm$fML^6gA#jgx6LV-#cu9=ysLZIN}s5KBMFs%kCf_w)MfWW4sG@Hh+Hzkl{;X;{zp zAr_Cq=OhS>2|5EA%qlmzLaac_6a{@;B7)N9>%xTbE;fYqQ-9RY6 z+MH{)KKZ#T|E|I#JBi_RMbPl@!fxR337|0S;*V_Cr;U!$6&Jn}3#O08egeF3T zoF)9|zzu}3UmMk-gVfx_K7X}MkZ9-VNF01d!{e9LidkoW1Z4#JFHQD;gIbJx#lE*F z`nkVj?#P*-1v%eLq+LVr&KFaiv2cx@+#>iaUVd3i*b$Pn?GC7Z@fM4i&RVBQpITu} zwE4TFOfz(M&T7L)p=`+Rg<69`{=R*VnVICvxZfKv{%A_i2;%~Xs2|c^idy;WvQ7Kj z^^|m=WnMLgfoQQj)qu23L~%{n7e%!R+J6cFfxtv}xX`@o6)g{H-WR5F{^rbr+eu0=#i7StCR=YW;lvS&89T=J zL79m-F-b^4CiUY~h2xyTu%ZAXN5k5*bDDk4D$=>0W8Qck+c1`_}7BNT%pw2nV(4GyMvxSA6 zyz9goe-lAx zLiHPk=Bcr6H5KZ#kAzl#VxPBVW*B{*wycIR_STnZa&_HA#+Z@Stb!@R>+<(5dJL%M zm})5H^u=qB(VkH`KD2ilV@yM!LnvpnmSGL>F5I4j-y#Om%FWT9+U#TV}9z-NC7N z{_p zt)RjAvYh?O&h8Jc^0ewcG)#T_XXBq7CxEA0#YbV*?!YSxf!H?cZd795Y;##P0^Fz` zy6$|ZgH@|O;i8i0Yoj+sPqp~{>>$9LVZev7nsqnufy0uH>hVzeyY1b*QC?D~Z)L#D zG(?h7Ex~2pJyIUq6)+v8BArJ>D*1YC{y8PW(otbUS_SA{&Q7G(BuFh94?C$|#wG2-!LVdOm?CEOh`qNA2;eYpnCi}>dTzubV zq|&|1GbPz-akn`++^XGLLF3pY2zT*__bu7=Eb!Hz>IS<3*h*4vLJcB=LA;T3Ch=u^ zleMn2>-|@a4i|gh>Mvc}PPPQ~XUxIDG^-_$3JSeO`&Y9x$0>0uI?xT#@BpCk!Cv{g z#<08R3MEw@+2Au>XAQ~EeaRLIZe?-rWr#MK^G?Xqh*4N;|9>nhXtRj(X;-ejOF_pam`EEqFo4Dz4Y~Akl@en|4Hco9310t(K2Hv()lRK*+|q zr-2;A@@%nF#NzHD1L2U#8r5!br`Bh*{B->$O{ktsV|fcmGZgm?l+re`073u@cM9@_ zrW_BmPMv!uXw6~lY{wSk%nd|!EOW7NJ~&s*qBg8 zr;pkccd{I}FeLYZj-~uucGN`}{}gpp5~w~Y-h_C4+w=^&zhVi|>4u z%g8h}MI(HXnL>0S&o86ps^)#)XSI33_IsWi?B5~JFw1xjq4xmL zxeP%$vMaAJ1n=KWOl|hS%@JupCz3!}@0>p@hzB(u`SULN_LThGxA#))iIJQ{+~S<1 zs`?ObDUlqPlz~LLO<<&$zPA*A(JYmCprRkvBV2kkQFTVxuAznkVzAeSc3_!}R293Us#0Oq<>eO&?8h228#M}JZ!NEQDomjOLLgXXl;&VGKKtq4=77p8$N6tV zcBSwcqlhPS))nUkJQZva0ixjZ?RqECOS zx+t&aDx-o63w4N^p0u;}XIae3<|Ejwvb}DXn?qDX7?QRpgdBb(OE2 zc@Kd0(tY1{ak}H`tXAL?w@%rKhq1fV&gR0jiAT=}ikM ze2MTOxgfF3=?fkO}ezi~&5o@SJd~B1<{ym`hJoNxUy--dO!cH9?xPZ9R z3N?<=-iS^M?V$L&m22O^-VEeR(znHQ`vQ59~e_ zq^Wpa|GDuDHur%&x`!3-7up=S{{3ic(*+_5T)2Fc2Xee|=2(58N;Hh9F2M7R?CK`B z5urr=edODF9HKo_OH6K>7s26T{K1E>g`G093SjLT-}0LDbItD%Y(*w6vCS6a+c>C4 z%U=8heQ)hu!zuj?WusRraLoqvF&HX${B{;In=@ckNC8?gJWLbMaM-rnRLSD+njoZjVHScj9COG&tfXU1VK?M zT5h8wMuyK&D7>TxJqoxj=3fa?qYyj%(5(WQP=lb(RC4Kdb>Cu(DUL?g0dgJgwYLP+O5m7ZI9YS5zY|bv!XGzWwj-0c8&vr+n(P9#b0!WtE)m=J*%l z+XYkn(RW9J{D*0DrxVp7Z=SN=?D8Ms1Q;IZ+j@1CY2S+W{v6U{QZe>A42mSDy`9Es zn=sl6c>tZSZe5Ps4hDVKUTLlr-iY}ch*VtHWL)8X)(gwcvrk+lXj2wSeB^gPNt+Fq zxU2B()U(bHKKNUF55PHm;BAp)!Zf)0h|D$ZJgUqu?}&}!K1)Om*{9XUf9}{?^BQo! z2mEkAn%@H`n}{FKsDU-{7G&N>^PIcneriL z^VpEH`Ln*QkMovoP5(@8gWwuZT@Y>gs${)$wJ=9@jc>>?F!X?g(df!_wE?-4Ezy6~ zdBSqew=TY7eGfR?y9un8^P0*j~M0t8>lMn_ThK0K4Tn=oIH_-Mi|(D%_JSL#t!8>Qp`+^1>G-TidLl*BJ4miX3G*#6bAP%7)ZNB@u0PuowD8I&? z!JhVTC%@V3*4@xG99}-wY>1VFTu?DxEQSh6q#nta)EPRPF3E=nLUOxntV`0Q24gmW zvrCpm`6S{H24Fu<(Y5A<0g?a~)^uPqc>J=8+pte@6s0(Klh{j%e#eJ}pF5?{U4K4D zxqCOvfuj^=5;qg5X@s2~D|~D4E-$^cbi7&$&t=qy7U8=S^C z$DL4CC1=m3{%RbYwkbVPWu(35vx@c!L9CZRYD2c{*4fo2(?m+4=CvuS*I}Fc@-G#w z&_lr5(cu*wR}?%xqs#rZAWj(jWMquKfl}0%o^_c+uS*fcYCV>pqFFim%m!5hdpsBn z27kcmNCJX#Y{Q}@tSZ1=e#t`qd4rHNMhH4l_T=&&@aSU1&m?se-2RJ|Je&(^`XkzV!z91A<4s9el815eI6 z=oO!1*fNo(7#u>N)KgC}`5B%yaI)e^0>qrB7KT{NEY@F=H`adr6_^hl0orwMS#9tA zb+n5tJ-6z(J_&F;@KvjCGblGrRq7`B_N*fJ*hwnh#?`;b5+X2;rD6-#cPFE%iS7+Ez< z;MIw0+-*K9j~R5%kem1-db@D`9%oeZpxx2Nm!O&t5iz?2`^*QFeHCs>(Y&83#}wo>VB=L@$Q=1P4`pNP zTsN*gm~i*lb??#WxgyTfYBg20Sx1l(wK|zfX|9dS0Ik%Jy+W>qy;)}~OcZgE{B_#L za#nNQeI0gm{7Ff$_=iY$E7%hK-Gxt-Ao$N?1w^Hn&(Sh6u;M~klBIFLscyEIl_^1{ zb^N`UL1!j7rz&R$Crhh4q{M)Ldl|w~JN=3e%}QnREf31lyr)FM|B=M)#=5s*)fF!i z?!RDQk(~}*;87bf5k<)4!B zVItKE=vE(@Z+!Gehid=iv(~6A2e)QZc`{Vcsy*2xz9Ug^O`ySb#PSAHqMV#6_}jEC z>9}@TkpGa1NV;ih-j5Icu66ZvYI7^ih5t)U5MGjAlr~$2E_#lpI&b2rnzdU=wmUiD zU2Iox)qY)W8fGP*OOs_l6yMwM0RxBf6sj6IEvE=+BjGKR_Zsg&O7We|?vylXRnuM+ zXd0T-|3r?R1Q3Y$z5Dk?7+3z7%!wGkco)X|u}D+8pW$9=|Tv zGyS1_YONKN5XG-9(Mz)Q(7Ur;TiE>E#~K(?mLof3?Qg^Sxvm^B z9wI`g%8op6yN-E?F`OQdO5d{&;zgp+s4CZMx|+Rfq5ZiL$jAd_{;~6s8r6{Cp-2|I z-Ts6p!|(kU&`qahXZnqrPpUrEb*>xQW%tv6&`BPG$HJZ@nj6k2z?n+{hOcY>6`i#zV7z6hl^;xhv+g2t@q5S|W)EgZ9XfAg+%W`5 zXa8U0_Wvp9|A_CoB9$~aK4jS{DZXp62w5Q!;psWqnnaD?Vqjygq@1oSAr~0i#tL+a zEx5>syu9lF*qMaO_5E6i@=K4STVa#Q{2v*DB7t|ry&?^`jJL-!4_xV96V2HYcNdrA zU=IABcPKTwdqB=pJUMlz+Zob(z|y(VwG6KvE7Yi&A>)P?aSyQU@}K`Fb5p0iQ)~O^ zcUyhUJ%CN7)^m`SP1Zu_kZs-tS#rW}F=np&4rf&&XT%wmh+qzTvDv!Fao&^bCS_k* zWXb`lYkjoBr`7b5F_~QHSwt*iEHGavKcS1E}iUYDN?xXnAqn`JKg@rB5_B>2dTX8W4%!-8OmJO87B#jpW^G= z!X^_o9gZp}DJdG5nu`j9zV6=Y{%kSTxGOi)yOt_7~KP;(_lxaQqn`K-6}G+3II%j3S>~EKqgWfe zv&F6s%fIS5Ox#0vxS-B9mVb;%Wm%+V+aJ&TVR~yY=>A__$#?SG^8Xd&MP}1Z^izPGXlU zW;C=8X?!<`^g@coQxoxh`ik4W@7@F6We9Ro-o|VAVoco`V>i?UhgXbQ__u*$?g3o# z`M&=$_}S;JU=1eR{Km|)n~jY##zd>4m^b2zbo{`@HWp_)-C3{NtDf+$|I|?!L*6Ye zG9yOYmSlFpF*%*B6{9Gq+$dH6_HI;2C`t~qG|FmVd&dEv?}B2%8r1@dSS;CQ%q^*? z9UULQve`DZ_fm4iw;N2UnT7=UXO^^>9$~xCO1rWpXh@IKjPSza_oq*VKAYh2bx9zYw_sV{{8$RD-T9W5i z^=MLXvk+!MJX0`CN`fR2?7Rm=HNbOTb-gJ9akjA+_z_}KmV3YOmxy7jLQp*ek_UN;-pWnFgqwzL`$t3NNT`kWm?eOF<&0Hfv; zZAXqSrGuKC$PKJ3r}PTntowWr^&Wi3Y$I9KK>R)b@5RF;(cJFR>bgb9>BCjB*ff%^PZVrrkz zp5Z)kxsTy;#tFbA%xnKk&sH3_TblN(9+B2)?XT+bA9>)!jI;}`-#>GC$l+vF7;x3o9Hzad>u*eO!yjc0 zqmE^%-?7S{iZg|n{QnCgPT^^#IGIA|{Z{kAwe6Hy5<@>N+W&-EzLWg;t zwYuMgbsi3krUV_JHXN#roBWypC!0GxIJRrUoNe5Mqh6WAIF4%XEBbErsXi5xX_tfx zljfK_=9P4;tlyRMLp0$G=_`B56r-?wU7y6!u`3nmo3lwzv`9D2H9cyWE50K5= z>We|)OOb?2BsY!v36H$KAthaTVkG$mZ5EKD1=$y|R9f@%pjO*t#*AEzB{wMc$>E}a3j9J>ByVF-V_#JCy@JMVo+#TE4?pdd7C}$yR1kfh9%>ET^V$X zi;Y9QZqk}{CMQhL`t54`UYIH)CJ8%D>3PmzpZM{&C!%gTmvj zWxEupa$+JO)I1vvHpHiaXenCpBEE{t>hK#$-|37mwnj&06qiBwfGP;_W6+V6IjsJt zfU@T2QSJ)FD}PN~N~}ni@!PZ`nkbVaU8P9Si%IURGRt9rCB~u7SQpPhet&~q-ggS= z#7~EWSq!rBBmbK}q=q6gpZ5xh&$|ywc4EL~{2IW)_jj!1z5CQ%o4e^f;ON1*a!q=i z@(=$>!q7dY2PKe*YdS+9u5&D$Mk9isFpgCe;R^Tk@pJs`u= zMtfd+?Q_*$LFm!wd@)D0it>4ST0@hzA%LkKc*r5#(-2=H{I}daenY-+i&GVM!}~+K znI!=McCJ6h9I%j;_}3vH&Cj`GdDgy^RK+$)J19`*+%9#vZXk5THdv~zvwZQK(3U=@ zhCqM)$@^vvF*cv3Nqvj%z4%ktVvwR!y8*MLuEhu8oZ{Ef`>3z@*KyS+eS+(vkM&e( zmdnWR6bq_H>3(*@MiOgr_f8gSDB6TIy<6!^;Eu(d?Dom~?mAT@F}A$B z-~D=}--5mwo~#h~cLrZtvZ#kUu`x52cbWzrXn%zjJT+I@ct z#ih*#LM?&sk9(QY0K#bOx&J8b`mYP49ymZ1U8R1F7DVqNG2^&9=k|D+#P{!*^T;$- z7=vFT#x-RLl+=v9v$M{Kd-31JH4fqfZfg`|x2NeJn4XV<`M(R&3m3Xa4Y*|r!#)Xn z)B0A721qgt`D%;F-}T%K-RRu|#M;W1#DKS2A@jo*v=Q$6sC&Q|{jg=t&CQb@JBMQt zY4bh1=HN2{)R8>J&@N7|(G1-~t})zqbJ$W!2lcOCjQ#6}e~fO!>8^;zflP~x|4%Jv z{>=uW#c>X5jB1UJ&JZahZE94sGX#}K7)9E=nYJ`iOKR=ZSfVItN@bKmZK>r6wTp&E z8%rgKwTobs+M-A-u>>Jz z@bU3-> zSoMtgu5&<6<58wDV>Ym%d66Wm=|CQW2WyR*$EB>jaZhM_7p226=jV4R-z7J7l-B|= zD*RdEg2e>C6@{Lmxu6EH)$Lr$&4}DzSK8IrtOhYZrJ83TmcYj-N9e3-&gm zH7eo3?`SC`5~GH5=;#6Q1)!Qb*pROJb!`GGmri5ebtTud4fx+x@;BoO0%B-TpxqwD zYG&TgHw?Yzz)UKn+zV0upQ&X>(peU#PcOzfti`$C@}b0wrVkD=JffMXiD{Q+&d{F* zo=QI0fZ5ra#<%^j!q zJpcw{1Gp}@G@nEEHJUfKiW0>c$d>-JS?q`kn6-*8bxhj(j>x}8b zd9f7u(Yl~(oZMa?OFh%m`l!2d<(#^m)6i=$pBg6MDJpx~2A}dO=s3l{ z(!`*#u{mSy9I*@Wo>pP7FtO?7*X<&!0iV4=AC%y+d6`L8*ZAwlvOR_n6RO^Jn8g1+ zeE!9@u>axq8##S5jKd(5Em>~r`!N?|VKEH%^6ZMb6iUb!8BDhx&^3O%$XYpGWT4__ zc(Ax=OC=e~^E?Sy$V-(Km0ro6H3$X8Q(_HNi)F#}fE}wG+S>HRxTf&s`xmHBik}Ur zfGv^8%jhpnNsFSbvapAC%HnM6XjQ?BF-WRK?@7aN)MFJ)sYAEaxmqJ+$|7a0Ia}MllRW;Z z&Tr_W-X>5<(D=41+V%WJBRN|LffJb$7R#xtcVZk$wtuRtNVpVGqQIC5l#ulCue^9nfO+*?c^TT6rO?0`ULy>|1=?gMEgHc IR6k7q8`r7c6951J literal 0 HcmV?d00001 diff --git a/thesis_submission/CH5_Examples/non_inv_amp_fmea.png b/submission_thesis/CH5_Examples/non_inv_amp_fmea.png similarity index 100% rename from thesis_submission/CH5_Examples/non_inv_amp_fmea.png rename to submission_thesis/CH5_Examples/non_inv_amp_fmea.png diff --git a/submission_thesis/CH6_Evaluation/copy.tex b/submission_thesis/CH6_Evaluation/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH6_Evaluation/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/submission_thesis/CH7_Conculsion/copy.tex b/submission_thesis/CH7_Conculsion/copy.tex new file mode 100644 index 0000000..19c375f --- /dev/null +++ b/submission_thesis/CH7_Conculsion/copy.tex @@ -0,0 +1,26 @@ +\section{Copy dot tex} + +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text +sample text diff --git a/submission_thesis/Makefile b/submission_thesis/Makefile new file mode 100644 index 0000000..9a65b19 --- /dev/null +++ b/submission_thesis/Makefile @@ -0,0 +1,9 @@ + + + +all: + pdflatex thesis + acroread thesis.pdf + +bib: + bibtex thesis diff --git a/submission_thesis/glossary.sty b/submission_thesis/glossary.sty new file mode 100644 index 0000000..2f6c12a --- /dev/null +++ b/submission_thesis/glossary.sty @@ -0,0 +1,979 @@ +%% +%% This is file `glossary.sty', +%% generated with the docstrip utility. +%% +%% The original source files were: +%% +%% glossary.dtx (with options: `glossary.sty,package') +%% Copyright (C) 2006 Nicola Talbot, all rights reserved. +%% If you modify this file, you must change its name first. +%% You are NOT ALLOWED to distribute this file alone. You are NOT +%% ALLOWED to take money for the distribution or use of either this +%% file or a changed version, except for a nominal charge for copying +%% etc. +%% \CharacterTable +%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z +%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z +%% Digits \0\1\2\3\4\5\6\7\8\9 +%% Exclamation \! Double quote \" Hash (number) \# +%% Dollar \$ Percent \% Ampersand \& +%% Acute accent \' Left paren \( Right paren \) +%% Asterisk \* Plus \+ Comma \, +%% Minus \- Point \. Solidus \/ +%% Colon \: Semicolon \; Less than \< +%% Equals \= Greater than \> Question mark \? +%% Commercial at \@ Left bracket \[ Backslash \\ +%% Right bracket \] Circumflex \^ Underscore \_ +%% Grave accent \` Left brace \{ Vertical bar \| +%% Right brace \} Tilde \~} +\NeedsTeXFormat{LaTeX2e} +\ProvidesPackage{glossary}[2006/07/20 2.4 (NLCT)] +\RequirePackage{ifthen} +\RequirePackage{keyval} +\define@key{gloss} +{style} +{\ifthenelse{\equal{#1}{list} \or \equal{#1}{altlist} +\or \equal{#1}{super} \or \equal{#1}{long}} +{\def\gls@style{#1}} +{\PackageError{glossary} +{Unknown glossary style '#1'} +{Available styles are: list, altlist, super and long}}} +\define@key{gloss} +{header}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} +{\def\gls@header{#1}} +{\PackageError{glossary} +{Unknown glossary style '#1'} +{Available styles are: none and plain}}} +\define@key{gloss} +{border}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} +{\def\gls@border{#1}} +{\PackageError{glossary} +{Unknown glossary border '#1'} +{Available styles are: none and plain}}} +\newcount\gls@cols +\define@key{gloss}{cols}{\gls@cols=#1\relax +\ifthenelse{\gls@cols<2 \or \gls@cols>3} +{\PackageError{glossary} +{invalid number of columns} +{The cols option can only be 2 or 3}} +{}} +\define@key{gloss} +{number} +{\ifthenelse{\equal{#1}{none}} +{\def\gls@glossary@number{#1}} +{\@ifundefined{c@#1}{ +\PackageError{glossary} +{Unknown glossary number style '#1'} +{You may either specify "none" or the name of a counter, +e.g. "section"}\def\gls@glossary@number{page}}{\def\gls@glossary@number{#1}}}} +\newif\ifgls@toc +\define@key{gloss}{toc}[true]{\ifthenelse{\equal{#1}{true} +\or \equal{#1}{false}} +{\csname gls@toc#1\endcsname} +{\PackageError{glossary}{Glossary option 'toc' is boolean} +{The value of 'toc' can only be set to 'true' or 'false'}}} +\newif\ifgls@hypertoc +\define@key{gloss}{hypertoc}[true]{% +\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} +{\csname gls@hypertoc#1\endcsname} +{\PackageError{glossary}{Glossary option 'hypertoc' is boolean} +{The value of 'hypertoc' can only be set to 'true' or 'false'}}} +\newif\ifgls@section +\define@key{gloss}{section}[true]{% +\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} +{\csname gls@section#1\endcsname} +{\PackageError{glossary}{Glossary option 'section' is boolean} +{The value of 'section' can only be set to 'true' or 'false'}}} +\gls@sectionfalse +\newif\ifglshyper +\newif\ifglshyperacronym +\define@key{gloss}{hyper}[true]{% +\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} +{\csname glshyper#1\endcsname\glshyperacronymtrue} +{\PackageError{glossary}{Glossary option 'hyper' is boolean} +{The value of 'hyper' can only be set to 'true' or 'false'}}} +\define@key{gloss}{hyperacronym}[true]{% +\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} +{\csname glshyperacronym#1\endcsname} +{\PackageError{glossary}{Glossary option 'hyperacronym' is boolean} +{The value of 'hyperacronym' can only be set to 'true' or 'false'}}} +\newif\ifglsacronym +\define@key{gloss}{acronym}[true]{% +\ifthenelse{\equal{#1}{true} \or \equal{#1}{false}} +{\setboolean{glsacronym}{#1}}{% +\PackageError{glossary}{Glossary option 'acronym' is boolean}{The +value of 'acronym' can only be set to 'true' or 'false'}}} +\newif\ifglsglobal +\define@key{gloss}{global}[true]{\ifthenelse{\equal{#1}{true}\or +\equal{#1}{false}}{\setboolean{glsglobal}{#1}}{% +\PackageError{glossary}{Glossary option 'global' is boolean}{The +value of 'global' can only be set to 'true' or 'false'}}} +\def\gls@style{long} +\def\gls@header{none} +\def\gls@border{none} +\def\gls@glossary@number{page} +\gls@cols=2\relax +\gls@tocfalse +\@ifundefined{hyperpage}{\glshyperfalse\glshyperacronymfalse}{% +\glshypertrue\glshyperacronymtrue} +\@ifundefined{hypertarget}{ +\newcommand{\glosslabel}[2]{#2}% +\newcommand{\glossref}[2]{#2}% +}{% +\newcommand{\glosslabel}[2]{\hypertarget{#1}{#2}}% +\newcommand{\glossref}[2]{\hyperlink{#1}{#2}} +} +\@ifundefined{xspace}{% +\let\glsxspace\relax}{% +\let\glsxspace\xspace} +\let\glossaryalignment\relax +\newcommand{\glossarypackageoptions}[1]{\setkeys{gloss}{#1}} +\InputIfFileExists{glossary.cfg}{% +\typeout{Glossary configuration file loaded}}{% +\typeout{No configuration file glossary.cfg found}} +\renewcommand{\glossarypackageoptions}[1]{% +\PackageError{glossary}{Command \string\glossarypackageoptions +^^Jcan only be used in configuration file}{}} +\DeclareOption*{\edef\@pkg@ptions{\noexpand +\setkeys{gloss}{\CurrentOption}} +\ifthenelse{\equal{\CurrentOption}{}}{}{\@pkg@ptions}} +\ProcessOptions +\ifthenelse{\(\equal{\gls@style}{list} \or +\equal{\gls@style}{altlist}\) \and +\(\not\equal{\gls@header}{none} \or \not\equal{\gls@border}{none} +\or \gls@cols=3\)} +{\PackageError{glossary}{You can't have option 'style=list' or +'style=altlist' in combination with any of the other style +options}{The 'list' and 'altlist' options don't have a header, +border or number of columns option.}} +{} +\ifthenelse{\boolean{gls@hypertoc} \and \boolean{gls@toc}}{% +\PackageWarning{glossary}{Can't have both 'toc' and +'hypertoc', ignoring 'toc' option} +\ifgls@hypertoc\gls@tocfalse\fi}{} +\define@key{wrgloss}{name}{% +\def\@glo@n@me{#1}% +\@onelevel@sanitize\@glo@n@me% +\global\let\@glo@n@me\@glo@n@me} +\define@key{wrgloss}{description}{% +\def\@descr{#1}% +\@onelevel@sanitize\@descr} +\define@key{wrgloss}{sort}{% +\def\@s@rt{#1}% +\@onelevel@sanitize\@s@rt +\global\let\@s@rt\@s@rt} +\define@key{wrgloss}{format}{\def\@f@rm@t{#1}} +\define@key{wrgloss}{number}{\def\@glo@num{#1}} +\newcommand{\@@wrglossary}{} +\newcommand{\@glo@l@bel}{} +\newcommand{\@gls@glossary@type}{glo} +\renewcommand{\@wrglossary}[2][glossary]{\relax +\gdef\@glo@n@me{}\def\@descr{}\def\@s@rt{}\def\@f@rm@t{}% +\edef\@glo@num{\csname gls@#1@number\endcsname}\relax +\xdef\@pr@fix{\csname @gls@#1@type\endcsname}% + \setkeys{wrgloss}{#2}\relax +\ifthenelse{\equal{\@glo@num}{none}}{\def\@@glo@num{\thepage}}{% +\@ifundefined{c@\@glo@num}{\PackageError{glossary}{% +Not such counter '\@glo@num'}{The value of the 'number' key +must be the name of a counter or the word "none"}% +\def\@@glo@num{\thepage}}{% +\edef\@@glo@num{\csname the\@glo@num\endcsname}}}% +\ifthenelse{\equal{\@s@rt}{}}{\gdef\@s@rt{\@glo@n@me}}{}% +\ifthenelse{\equal{\@glo@l@bel}{}}{% +\gdef\@glo@l@bel{\@pr@fix:\@s@rt}}{}% +\ifthenelse{\equal{\@f@rm@t}{}} +{\expandafter\protected@write\csname @#1file\endcsname{}% +{\string\glossaryentry{\@s@rt @{% +\string\glosslabel{\@glo@l@bel}{\@glo@n@me}}\@descr +\string\relax|glsnumformat}{\@@glo@num}}} +{\ifthenelse{\equal{\@f@rm@t}{hyperrm} \or +\equal{\@f@rm@t}{hypersf} \or \equal{\@f@rm@t}{hypertt} +\or \equal{\@f@rm@t}{hypermd} \or \equal{\@f@rm@t}{hyperbf} +\or \equal{\@f@rm@t}{hyperit} \or \equal{\@f@rm@t}{hyperem} +\or \equal{\@f@rm@t}{hypersl} \or \equal{\@f@rm@t}{hyperup} +\or \equal{\@f@rm@t}{hypersc}} +{\expandafter\protected@write\csname @#1file\endcsname{}% + {\string\glossaryentry{\@s@rt @{% + \string\glosslabel{\@glo@l@bel}{\@glo@n@me}}\@descr + \string\relax|\@f@rm@t[\@glo@num]}{\@@glo@num}}} +{\expandafter\protected@write\csname @#1file\endcsname{}% + {\string\glossaryentry{\@s@rt @{% + \string\glosslabel{\@glo@l@bel}{\@glo@n@me}}\@descr + \string\relax|\@f@rm@t}{\@@glo@num}}}}\relax + \endgroup\@esphack +\@@wrglossary +} +\define@key{wrnsgloss}{name}{\def\@glo@n@me{#1}} +\define@key{wrnsgloss}{description}{\def\@descr{#1}} +\define@key{wrnsgloss}{sort}{\def\@s@rt{#1}} +\define@key{wrnsgloss}{format}{\def\@f@rm@t{#1}} +\define@key{wrnsgloss}{number}{\def\@glo@num{#1}} +\newcommand{\@gls@getn@me}[1]{% +\def\@glo@n@me{}\setkeys{wrnsgloss}{#1}% +} +\newcommand{\@gls@getdescr}[1]{% +\@bsphack\begingroup +\def\@descr{}% +\setkeys{wrgloss}{#1}% +\global\let\@glo@desc\@descr +\endgroup\@esphack +} +\newcommand{\xglossary}{\renewcommand{\@@wrglossary}[1]{% +\glossref{\@glo@l@bel}{##1}\renewcommand{\@@wrglossary}{}}% +\glossary} +\newcommand*{\@glo@label@list}{} +\toksdef\gls@ta=0 \toksdef\gls@tb=2 +\newcommand{\@glo@label@addtolist}[1]{% +\gls@ta={{#1}}\gls@tb=\expandafter{\@glo@label@list}% +\xdef\@glo@label@list{\the\gls@ta,\the\gls@tb}} +\newcommand*{\storeglosentry}[3][glossary]{% +\ifthenelse{\equal{#2}{*}}{% +\PackageError{glossary}{Glossary label '*' invalid}{You can't have +a glossary entry with a * as the label}}{% +\@ifundefined{glo@#2@entry}{% +\@glo@label@addtolist{#2}% +\expandafter\def\csname glo@#2@type\endcsname{#1}% +\expandafter\def\csname glo@#2@entry\endcsname{#3}% +\@gls@getn@me{#3}% +\expandafter\protected@edef\csname glo@#2@name\endcsname{\@glo@n@me}% +}{% +\PackageError{glossary}{Glossary entry '#2' already +defined}{There already exists a glossary entry with the label '#2'}}}% +} +\providecommand{\useglosentry}[2][\relax]{% +\ifthenelse{\equal{#2}{*}}{\@for\@glolab:=\@glo@label@list\do{% +\ifthenelse{\equal{\@glolab}{}}{}{\useglosentry[#1]{\@glolab}}}}{% +\@ifundefined{glo@#2@type}{% +\PackageError{glossary}{Glossary entry '#2' undefined}{You need +to define the entry using \string\storeglosentry\space before +using it.}}{{% +\edef\@glostype{\csname glo@#2@type\endcsname}% +\@glo@tb=\expandafter\expandafter\expandafter +{\csname glo@#2@entry\endcsname}% +\ifx#1\relax +\edef\@glo@cmd{\expandafter\noexpand +\csname\@glostype\endcsname{\the\@glo@tb}}% +\else +\edef\@glo@cmd{\expandafter\noexpand +\csname\@glostype\endcsname{\the\@glo@tb,#1}}% +\fi +\@glo@cmd +}}}} +\providecommand{\useGlosentry}[3][\relax]{% +\@ifundefined{glo@#2@type}{% +\PackageError{glossary}{Glossary entry '#2' undefined}{You need +to define the entry using \string\storeglosentry\space before +using it.}}{{% +\edef\@glostype{x\csname glo@#2@type\endcsname}% +\@glo@tb=\expandafter\expandafter\expandafter +{\csname glo@#2@entry\endcsname}% +\ifx#1\relax +\edef\@glo@cmd{\expandafter\noexpand +\csname\@glostype\endcsname{\the\@glo@tb}}% +\else +\edef\@glo@cmd{\expandafter\noexpand +\csname\@glostype\endcsname{\the\@glo@tb,#1}}% +\fi +\@glo@cmd{#3}% +}}} +\newcommand{\gls}[2][\relax]{% +\useGlosentry[#1]{#2}{% +\csname glo@#2@name\endcsname}} +\providecommand{\saveglosentry}[3][glossary]{% +\PackageWarning{glossary}{\string\saveglosentry\space is obsolete, +please use \string\storeglosentry\space instead}% +\expandafter\def\csname glo@#2@type\endcsname{#1}% +\expandafter\def\csname glo@#2@entry\endcsname{% +name={#2},description={#3}}} +\newcommand*{\@gls@setnumbering}[2][glossary]{% +\ifthenelse{\equal{#2}{none}}{% +\def\pagecompositor{-} +\expandafter\def\csname @#1@delimN\endcsname{} +\expandafter\def\csname @#1@delimR\endcsname{} +\expandafter\def\csname glsX#1Xnumformat\endcsname##1{}}{% +\ifthenelse{\equal{#2}{page}}{% +\def\pagecompositor{-}}{% +\def\pagecompositor{.}} +\expandafter\def\csname @#1@delimN\endcsname{, } +\expandafter\def\csname @#1@delimR\endcsname{--} +\ifglshyper +\expandafter\def\csname glsX#1Xnumformat\endcsname##1{% +\hyperrm[#2]{##1}}% +\else +\expandafter\def\csname glsX#1Xnumformat\endcsname##1{##1}\fi +} +} +\@gls@setnumbering{\gls@glossary@number} +\newcommand{\glsnumformat}[1]{% +\@ifundefined{\@glostype}{\def\@glostype{glossary}}{}% +\@ifundefined{glsX\@glostype Xnumformat}{% +\PackageError{glossary}{Glossary type '\@glostype' undefined}{}}{% +\csname glsX\@glostype Xnumformat\endcsname{#1}}} +\def\@glostype{glossary} +\newcommand{\delimN}{\csname @\@glostype @delimN\endcsname} +\newcommand{\delimR}{\csname @\@glostype @delimR\endcsname} +\newcommand{\gloitem}{\csname @\@glostype @gloitem\endcsname} +\newcommand{\gloskip}{\csname @\@glostype @gloskip\endcsname} +\newcommand{\delimT}{\glsafternum +\csname @\@glostype @delimT\endcsname} +\newcommand{\glodelim}{\csname @\@glostype @glodelim\endcsname +\glsbeforenum} +\newcommand{\glogroupSymbols}{} +\newcommand{\glogroupNumbers}{} +\newcommand{\glogroupA}{} +\newcommand{\glogroupB}{} +\newcommand{\glogroupC}{} +\newcommand{\glogroupD}{} +\newcommand{\glogroupE}{} +\newcommand{\glogroupF}{} +\newcommand{\glogroupG}{} +\newcommand{\glogroupH}{} +\newcommand{\glogroupI}{} +\newcommand{\glogroupJ}{} +\newcommand{\glogroupK}{} +\newcommand{\glogroupL}{} +\newcommand{\glogroupM}{} +\newcommand{\glogroupN}{} +\newcommand{\glogroupO}{} +\newcommand{\glogroupP}{} +\newcommand{\glogroupQ}{} +\newcommand{\glogroupR}{} +\newcommand{\glogroupS}{} +\newcommand{\glogroupT}{} +\newcommand{\glogroupU}{} +\newcommand{\glogroupV}{} +\newcommand{\glogroupW}{} +\newcommand{\glogroupX}{} +\newcommand{\glogroupY}{} +\newcommand{\glogroupZ}{} +\define@key{glossnum}{glsnumformat}{\def\@glsnumformat{#1}} +\define@key{glossnum}{type}{\def\@glsnumtype{#1}} +\define@key{glossnum}{delimN}{\def\@delimN{#1}} +\define@key{glossnum}{delimR}{\def\@delimR{#1}} +\define@key{glossnum}{delimT}{\def\@delimT{#1}} +\define@key{glossnum}{gloskip}{\def\@gloskip{#1}} +\define@key{glossnum}{glodelim}{\def\@glodelim{#1}} +\providecommand{\ignore}[1]{} +\newcommand{\setglossary}[1]{% +\def\@glsnumformat{}% +\def\@glsnumtype{glossary}% +\def\@delimN{@dontchange@}% +\def\@delimR{@dontchange@}% +\def\@delimT{@dontchange@}% +\def\@gloskip{@dontchange@}% +\def\@glodelim{@dontchange@}% +\setkeys{glossnum}{#1}\relax +\@ifundefined{print\@glsnumtype}{% +\PackageError{glossary}{Invalid glossary type '\@glsnumtype'}{% +Glossary type '\@glsnumtype' has not been defined} +}{% +\ifthenelse{\equal{\@glsnumformat}{}}{}{% +\expandafter\xdef\csname glsX\@glsnumtype Xnumformat\endcsname{% +\noexpand\csname\@glsnumformat\noexpand\endcsname}% +\ifthenelse{\equal{\@glsnumformat}{ignore}}{% +\expandafter\xdef\csname @\@glsnumtype @delimN\endcsname{}% +\expandafter\xdef\csname @\@glsnumtype @delimR\endcsname{}% +}{}% +}% +\ifthenelse{\equal{\@delimN}{@dontchange@}}{}{% +\expandafter\xdef\csname @\@glsnumtype @delimN\endcsname{% +\@delimN}}% +\ifthenelse{\equal{\@delimR}{@dontchange@}}{}{% +\expandafter\xdef\csname @\@glsnumtype @delimR\endcsname{% +\@delimR}}% +\ifthenelse{\equal{\@delimT}{@dontchange@}}{}{% +\expandafter\xdef\csname @\@glsnumtype @delimT\endcsname{% +\@delimT}}% +\ifthenelse{\equal{\@gloskip}{@dontchange@}}{}{% +\expandafter\xdef\csname @\@glsnumtype @gloskip\endcsname{% +\@gloskip}}% +\ifthenelse{\equal{\@glodelim}{@dontchange@}}{}{% +\expandafter\xdef\csname @\@glsnumtype @glodelim\endcsname{% +\@glodelim}% +}% +}} +\newcommand{\@gls@glossary@inext}{gls} +\newcommand\printglossary[1][glossary]{% +\def\@glostype{#1}% +\@ifundefined{#1name}{% +\renewcommand{\@glossaryname}{\glossaryname}}{% +\renewcommand{\@glossaryname}{\csname #1name\endcsname}}% +\@ifundefined{short#1name}{% +\renewcommand{\@shortglossaryname}{\@glossaryname}}{% +\renewcommand{\@shortglossaryname}{\csname short#1name\endcsname}}% +\expandafter\let\expandafter\gls@number\csname gls@#1@number\endcsname +\@input@{\jobname.\csname @gls@#1@inext\endcsname}} +\providecommand{\glossaryname}{Glossary} +\newcommand{\shortglossaryname}{\glossaryname} +\newcommand{\entryname}{Notation} +\newcommand{\descriptionname}{Description} +\newcommand{\istfilename}{\jobname.ist} +\def\@glossaryname{\glossaryname} +\def\@shortglossaryname{\shortglossaryname} +\newcommand{\@istfilename}[1]{} +\providecommand{\glossarytitle}{% +\@ifundefined{chapter}% +{% +\ifgls@hypertoc +\phantomsection +\@glosaddtoc{section}% +\section*{\@glossaryname}\relax +\else +\section*{\@glossaryname}\relax +\ifgls@toc\@glosaddtoc{section}\fi +\fi}% +{% +\ifthenelse{\boolean{gls@section}}% +{% +\ifgls@hypertoc +\phantomsection +\@glosaddtoc{section}% +\section*{\@glossaryname}\relax +\else +\section*{\@glossaryname}\relax +\ifgls@toc\@glosaddtoc{section}\fi +\fi}% +{% +\ifgls@hypertoc +\@ifundefined{if@twoside}{% +\clearpage}{% +\if@twoside +\@ifundefined{cleardoublepage}{\clearpage}{\cleardoublepage}% +\else +\clearpage +\fi}% +\phantomsection +\@glosaddtoc{chapter}% +\fi +\chapter*{\@glossaryname}\relax +\ifgls@toc\@glosaddtoc{chapter}\fi}} +\markboth{\@shortglossaryname}{\@shortglossaryname}% +} +\@ifundefined{theglossary}{% +\newenvironment{theglossary}{}{}}{% +\PackageWarning{glossary}{Redefining 'theglossary' environment}} +\renewenvironment{theglossary}{% +\glossarytitle +\glossarypreamble\@bef@reglos}{\@ftergl@s\glossarypostamble} +\newcommand{\glossarypreamble}{} +\newcommand{\glossarypostamble}{} +\newcommand{\@glosaddtoc}[1]{% +\addcontentsline{toc}{#1}{\@shortglossaryname} +} +\newif\ifgloitemfirst +\newcommand{\@bef@reglos}{\global\gloitemfirsttrue\beforeglossary} +\newcommand{\@ftergl@s}{\afterglossary\global\gloitemfirstfalse} +\newcommand{\glossaryalignment}{\relax} +\newcommand{\@gls@align@glossary}{} +\newcommand{\glosstail}{% +\@ifundefined{@gls@tail@\@glostype}{% +\PackageError{glossary}{No glossary tail defined for glossary +type '\@glostype'}{}}{% +\csname @gls@tail@\@glostype\endcsname}} +\newcommand{\@gls@tail@glossary}{} +\newcommand{\afterglossary}{% +\@ifundefined{@gls@afterglos@\@glostype}{% +\PackageError{glossary}{No after glossary defined for glossary +type '\@glostype'}{}}{% +\csname @gls@afterglos@\@glostype\endcsname}} +\newcommand{\beforeglossary}{% +\@ifundefined{@gls@beforeglos@\@glostype}{% +\PackageError{glossary}{No before glossary defined for glossary +type '\@glostype'}{}}{% +\csname @gls@beforeglos@\@glostype\endcsname}} +\newcommand{\@gls@beforeglos@glossary}{} +\newcommand{\@gls@afterglos@glossary}{} +\newcommand{\@glossary@glodelim}{} +\newcommand{\@glossary@delimT}{} +\newcommand{\glsafternum}{} +\newcommand{\glsbeforenum}{} +\newcommand{\@glossary@gloskip}{} +\newcommand{\@glossary@gloitem}[1]{#1} +\newcommand{\gls@setlist}[1][glossary]{% +\expandafter\def\csname @gls@beforeglos@#1\endcsname{% +\begin{description}}% +\expandafter\def\csname @gls@afterglos@#1\endcsname{% +\end{description}}% +\expandafter\def\csname @#1@gloskip\endcsname{\indexspace}% +\ifthenelse{\equal{\csname gls@#1@number\endcsname}{none}}{% +\expandafter\def\csname @#1@glodelim\endcsname{}}{% +\expandafter\def\csname @#1@glodelim\endcsname{, }}% +\expandafter\def\csname @#1@gloitem\endcsname##1{\item[##1]}% +\expandafter\def\csname @#1@delimT\endcsname{} +} +\newcommand{\gls@setaltlist}[1][glossary]{% +\expandafter\def\csname @gls@beforeglos@#1\endcsname{% +\begin{description}}% +\expandafter\def\csname @gls@afterglos@#1\endcsname{% +\end{description}}% +\expandafter\def\csname @#1@gloskip\endcsname{\indexspace}% +\expandafter\def\csname @#1@gloitem\endcsname##1{% +\item[##1]\mbox{}\nopagebreak\par\nopagebreak}% +\expandafter\def\csname @#1@glodelim\endcsname{ }% +\expandafter\def\csname @#1@delimT\endcsname{} +} +\ifthenelse{\equal{\gls@style}{super}}{ +\IfFileExists{supertab.sty}{\RequirePackage{supertab}} +{\IfFileExists{supertabular.sty}{\RequirePackage{supertabular}} +{\PackageError{glossary}{Option "super" chosen, but can't find +"supertab" package}{If you want the "super" option, you have to have +the "supertab" package installed.}}}} +{\RequirePackage{longtable}} +\newlength{\descriptionwidth} +\setlength{\descriptionwidth}{0.6\linewidth} +\newcommand{\@glossaryheader}{% +\@ifundefined{glossaryheader}{\csname @\@glostype @header\endcsname} +{\glossaryheader}% +\@ifundefined{glossarysubheader}{}{\glossarysubheader}% +} +\newcommand{\gls@setheader}[1][glossary]{% +\ifthenelse{\equal{\gls@header}{none}}% +{% +\ifthenelse{\equal{\gls@border}{none}} +{\expandafter\def\csname @#1@header\endcsname{}% +}{\expandafter\def\csname @#1@header\endcsname{\hline}}% +}{% +\ifnum\gls@cols=2\relax +\ifthenelse{\equal{\gls@border}{none}} +{% +\expandafter\def\csname @#1@header\endcsname{% +\bfseries\entryname & \bfseries \descriptionname\\}}% +{% +\expandafter\def\csname @#1@header\endcsname{% +\hline\bfseries\entryname & \bfseries\descriptionname +\\\hline\hline}}% +\else +\ifthenelse{\equal{\gls@border}{none}} +{% +\expandafter\def\csname @#1@header\endcsname{% +\bfseries\entryname & \bfseries \descriptionname & +\bfseries \glspageheader \\}}% +{% +\expandafter\def\csname @#1@header\endcsname{% +\hline\bfseries\entryname &\bfseries\descriptionname & +\bfseries \glspageheader \\\hline\hline}}% +\fi +}} +\newcommand*{\glspageheader}{} +\newcommand{\gls@setalignment}[1][glossary]{% +\ifthenelse{\equal{\gls@border}{none}} +{ +\ifnum\gls@cols=2\relax +\expandafter\def\csname @gls@align@#1\endcsname{% +@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}} +\else +\expandafter\def\csname @gls@align@#1\endcsname{% +@{\hspace{\tabcolsep}\bfseries}lp{\descriptionwidth}l} +\fi +\expandafter\def\csname @gls@tail@#1\endcsname{}% +}{% +\ifnum\gls@cols=2\relax +\expandafter\def\csname @gls@align@#1\endcsname{% +|@{\hspace{\tabcolsep}\bfseries +}lp{\descriptionwidth}|} +\else +\expandafter\def\csname @gls@align@#1\endcsname{% +|@{\hspace{\tabcolsep}\bfseries +}lp{\descriptionwidth}l|} +\fi +\expandafter\def\csname @gls@tail@#1\endcsname{\hline}% +}% +\expandafter\def\csname @#1@delimT\endcsname{\\} +\ifnum\gls@cols=2\relax +\expandafter\def\csname @#1@gloskip\endcsname{& \\}% +\ifthenelse{\equal{\csname gls@#1@number\endcsname}{none}}{% +\expandafter\def\csname @#1@glodelim\endcsname{}}{% +\expandafter\def\csname @#1@glodelim\endcsname{, }}% +\else +\expandafter\def\csname @#1@gloskip\endcsname{& & \\}% +\expandafter\def\csname @#1@glodelim\endcsname{& }% +\fi +\expandafter\def\csname @#1@gloitem\endcsname##1{##1 &}% +} +\newcommand{\@st@rtglostable}[2]{% +\gls@ta={\begin{#1}}\gls@tb=\expandafter{#2}% +\edef\@st@rtglost@ble{\the\gls@ta{\the\gls@tb}} +\@st@rtglost@ble} +\newcommand{\gls@setsuper}[1][glossary]{% +\gls@setalignment[#1]% +\gls@setheader[#1]% +\expandafter\def\csname @gls@beforeglos@#1\endcsname{% +\tablehead{\@glossaryheader}\tabletail{\glosstail}% +\if\glossaryalignment\relax +\expandafter\let\expandafter\@glossaryalignment +\csname @gls@align@#1\endcsname +\else +\let\@glossaryalignment\glossaryalignment +\fi +\@st@rtglostable{supertabular}\@glossaryalignment} +\expandafter\def\csname @gls@afterglos@#1\endcsname{% +\end{supertabular}}% +} +\newcommand{\gls@setlong}[1][glossary]{% +\gls@setalignment[#1]% +\gls@setheader[#1]% +\expandafter\def\csname @gls@beforeglos@#1\endcsname{% +\if\relax\glossaryalignment +\expandafter\let\expandafter\@glossaryalignment +\csname @gls@align@#1\endcsname +\else +\let\@glossaryalignment\glossaryalignment +\fi +\@st@rtglostable{longtable}{\@glossaryalignment} +\@glossaryheader\endhead\glosstail\endfoot} +\expandafter\def\csname @gls@afterglos@#1\endcsname{% +\end{longtable}}% +} +\newcommand{\@setglossarystyle}[1][glossary]{% +\@ifundefined{gls@set\gls@style}{% +\PackageError{glossary}{Glossary style '\gls@style' undefined}{}}{% +\ifthenelse{\equal{\gls@number}{}}{}{% +\expandafter\edef\csname gls@#1@number\endcsname{\gls@number}% +\@gls@setnumbering[#1]{\gls@number}% +}% +\csname gls@set\gls@style\endcsname[#1]}} +\let\gls@number\gls@glossary@number +\@setglossarystyle +\define@key{glosstyle} +{style} +{\ifthenelse{\equal{#1}{list} \or \equal{#1}{altlist} +\or \equal{#1}{super} \or \equal{#1}{long}} +{\def\gls@style{#1}} +{\PackageError{glossary} +{Unknown glossary style '#1'} +{Available styles are: list, altlist, super and long}}} +\define@key{glosstyle} +{header}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} +{\def\gls@header{#1}} +{\PackageError{glossary} +{Unknown glossary style '#1'} +{Available styles are: none and plain}}} +\define@key{glosstyle} +{border}[plain]{\ifthenelse{\equal{#1}{none} \or \equal{#1}{plain}} +{\def\gls@border{#1}} +{\PackageError{glossary} +{Unknown glossary border '#1'} +{Available styles are: none and plain}}} +\define@key{glosstyle}{cols}{\gls@cols=#1\relax +\ifthenelse{\gls@cols<2 \or \gls@cols>3} +{\PackageError{glossary} +{invalid number of columns} +{The cols option can only be 2 or 3}} +{}} +\define@key{glosstyle} +{number} +{\ifthenelse{\equal{#1}{none}} +{\def\gls@number{#1}} +{\@ifundefined{c@#1}{ +\PackageError{glossary} +{Unknown glossary number style '#1'} +{You may either specify "none" or the name of a counter, +e.g. "section"}\def\gls@number{page}}{\def\gls@number{#1}}}} +\newcommand{\setglossarystyle}[2][glossary]{% +\def\gls@number{}% +\setkeys{glosstyle}{#2}% +\@setglossarystyle[#1]% +} +\ifthenelse{\equal{\gls@glossary@number}{none} \and \gls@cols<3}{% +\renewcommand{\@glossary@glodelim}{}}{} +\newif\ifist +\let\noist=\istfalse +\if@filesw\isttrue\else\istfalse\fi +\newwrite\istfile +\catcode`\%11\relax +\newcommand{\writeist}{ +\protected@write\@auxout{}{\protect\@istfilename{\istfilename}} +\openout\istfile=\istfilename +\write\istfile{% makeindex style file created by LaTeX for document "\jobname" on \the\year-\the\month-\the\day} +\write\istfile{keyword "\string\\glossaryentry"} +\write\istfile{preamble "\string\\begin{theglossary}"} +\write\istfile{postamble "\string\n\string\\end{theglossary}\string\n"} +\write\istfile{group_skip "\string\\gloskip "} +\write\istfile{item_0 "\string\n\string\n\string\\gloitem "} +\write\istfile{delim_0 "\string\n\string\\glodelim "} +\write\istfile{page_compositor "\pagecompositor"} +\write\istfile{delim_n "\string\\delimN "} +\write\istfile{delim_r "\string\\delimR "} +\write\istfile{delim_t "\string\\delimT "} +\write\istfile{headings_flag 1} +\write\istfile{heading_prefix "\string\\glogroup"} +\write\istfile{symhead_positive "Symbols"} +\write\istfile{numhead_positive "Numbers"} +\closeout\istfile +} +\catcode`\%14\relax +\renewcommand{\makeglossary}{ +\newwrite\@glossaryfile +\immediate\openout\@glossaryfile=\jobname.glo +\renewcommand{\glossary}[1][]{\gdef\@glo@l@bel{##1}% +\@bsphack \begingroup \@wrglossary } +\typeout {Writing glossary file \jobname .glo } +\let \makeglossary \@empty +\ifist\writeist\fi +\noist} +\renewcommand{\glossary}[1][]{% +\@bsphack\begingroup\@sanitize\@index} +\newcommand{\newglossarytype}[4][glg]{ +\@ifundefined{#2}{% +\protected@write\@auxout{}{\@newglossarytype[#1]{#2}{#3}{#4}}% +\def\@glstype{#2}\def\@glsout{#3}\def\@glsin{#4}% +\expandafter\edef\csname gls@\@glstype @number\endcsname{% +\gls@glossary@number}% +\expandafter\gdef\csname glsX\@glstype Xnumformat\endcsname{% +\glsXglossaryXnumformat}% +\expandafter\gdef\csname @\@glstype @delimN\endcsname{% +\@glossary@delimN}% +\expandafter\gdef\csname @\@glstype @delimR\endcsname{% +\@glossary@delimR}% +\expandafter\gdef\csname @gls@\@glstype @inext\endcsname{#4}% +\expandafter\def\csname @gls@#2@type\endcsname{#4}% +\expandafter\edef\csname make\@glstype\endcsname{% +\noexpand\@m@kegl@ss{\@glstype}{\@glsout}} +\expandafter\edef\csname \@glstype\endcsname{% +\noexpand\@gl@ss@ary{\@glstype}} +\expandafter\edef\csname x\@glstype\endcsname{% +\noexpand\@Gl@ss@ary{\@glstype}} +\@namedef{print\@glstype}{% +\printglossary[#2]}% +}{\PackageError{glossary}{Command +\expandafter\string\csname #2\endcsname \space already defined}{% +You can't call your new glossary type '#2' because there already +exists a command with this name}}% +\@@n@wglostype} +\newcommand{\@@n@wglostype}[1][]{% +\setglossarystyle[\@glstype]{#1}} +\newcommand{\@newglossarytype}[4][glg]{} +\newcommand\@m@kegl@ss[2]{% +\expandafter\newwrite\csname @#1file\endcsname +\expandafter\immediate\expandafter +\openout\csname @#1file\endcsname=\jobname.#2 +\typeout {Writing #1 file \jobname .#2 } +\expandafter\let \csname make#1\endcsname \@empty +\ifist\writeist\fi +\expandafter\def\csname the#1num\endcsname{\thepage} +\noist +} +\newcommand\@gl@ss@ary[2][]{\@ifundefined{@#2file}{% +\@bsphack\begingroup\@sanitize \@index}{% +\gdef\@glo@l@bel{#1}% +\@bsphack \begingroup \@wrglossary[#2]}} +\newcommand{\@Gl@ss@ary}{% +\renewcommand{\@@wrglossary}[1]{% +\glossref{\@glo@l@bel}{##1}\renewcommand{\@@wrglossary}{}}% +\@gl@ss@ary} +\@onlypreamble{\newglossarytype} +\newcommand\@acrnmsh{} +\newcommand\@sacrnmsh{} +\newcommand\@acrnmln{} +\newcommand\@acrnmcmd{} +\newcommand\@acrnmgls{} +\newcommand\@acrnmins{} +\toksdef\@glo@tb=2 +\newcommand{\@acr@list}{} +\newcommand{\@acr@addtolist}[1]{\edef\@glo@ta{#1}% +\ifthenelse{\equal{\@acr@list}{}}{% +\edef\@acr@list{\@glo@ta}}{% +\@glo@tb=\expandafter{\@acr@list}% +\edef\@acr@list{\the\@glo@tb,\@glo@ta}}} +\newcommand{\@acronymnamefmt}{\glolong\ (\gloshort)} +\newcommand{\setacronymnamefmt}[1]{\def\@acronymnamefmt{#1}} +\newcommand{\@acronymdescfmt}{\glodesc} +\newcommand{\setacronymdescfmt}[1]{\def\@acronymdescfmt{#1}} +\newcommand{\acronymfont}[1]{#1} +\newcommand{\newacronym}[4][]{% +\ifthenelse{\equal{#1}{}}{\renewcommand\@acrnmcmd{#2}}{% +\renewcommand\@acrnmcmd{#1}} +\@ifundefined{\@acrnmcmd}{% +\expandafter\newcommand\csname\@acrnmcmd short\endcsname{% +#2\protect\glsxspace} +\expandafter\newcommand\csname\@acrnmcmd @nx@short\endcsname{#2} +\expandafter\newcommand\csname\@acrnmcmd long\endcsname{% +#3\protect\glsxspace} +\expandafter\newcommand\csname\@acrnmcmd @nx@long\endcsname{#3} +\def\@acrn@entry{#4}% +{% +\expandafter\@gls@getdescr\expandafter{\@acrn@entry}% +\let\glodesc\@glo@desc% +\def\glolong{#3}% +\@onelevel@sanitize\glolong +\def\gloshort{\noexpand\acronymfont{#2}}% +\@onelevel@sanitize\gloshort +\expandafter\protected@xdef\expandafter\@acrnamefmt{\@acronymnamefmt} +\expandafter\protected@xdef\expandafter\@acrdesc{\@acronymdescfmt} +}% +\@acr@addtolist{\@acrnmcmd} +\@glo@tb=\expandafter{\@acrn@entry}% +\protected@edef\@acr@glsentry{name={\@acrnamefmt},% +format=glsnumformat,sort={\@acrnmcmd},\the\@glo@tb,% +description={\@acrdesc}}% +\@glo@tb=\expandafter{\@acr@glsentry}% +\newboolean{\@acrnmcmd first}\setboolean{\@acrnmcmd first}{true} +\expandafter\protected@edef\csname \@acrnmcmd\endcsname{% +\noexpand\@ifstar{\csname @s@\@acrnmcmd\endcsname}{% +\csname @\@acrnmcmd\endcsname}} +\ifglshyperacronym % hyperlinks +\expandafter\protected@edef\csname @\@acrnmcmd\endcsname{% +\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}{% +\csname\@acrnmcmd @nx@long\endcsname\noexpand\@acrnmins\ +(\noexpand\xacronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +})\noexpand\unsetacronym{\@acrnmcmd}% +}{\noexpand\xacronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +\noexpand\@acrnmins}}\noexpand\glsxspace} +\expandafter\protected@edef\csname @s@\@acrnmcmd\endcsname{% +\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}{% +\noexpand\expandafter\noexpand\MakeUppercase +\csname\@acrnmcmd @nx@long\endcsname\noexpand\@acrnmins\ +(\noexpand\xacronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +})% +\noexpand\unsetacronym{\@acrnmcmd}}{% +\noexpand\xacronym{\the\@glo@tb}{% +\noexpand\acronymfont{\noexpand\expandafter\noexpand\MakeUppercase +\csname\@acrnmcmd @nx@short\endcsname}% +\noexpand\@acrnmins}}\noexpand\glsxspace} +\else % no hyperlinks +\expandafter\protected@edef\csname @\@acrnmcmd\endcsname{% +\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}{% +\csname\@acrnmcmd @nx@long\endcsname\noexpand\@acrnmins\ +(\noexpand\acronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +})\noexpand\unsetacronym{\@acrnmcmd}% +}{\noexpand\acronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +\noexpand\@acrnmins}}% +\noexpand\glsxspace} +\expandafter\protected@edef\csname @s@\@acrnmcmd\endcsname{% +\noexpand\ifthenelse{\noexpand\boolean{\@acrnmcmd first}}{% +\noexpand\expandafter +\noexpand\MakeUppercase +\csname\@acrnmcmd @nx@long\endcsname\noexpand\@acrnmins\ +(\noexpand\acronym{\the\@glo@tb}{% +\noexpand\acronymfont{\csname\@acrnmcmd @nx@short\endcsname}% +})% +\noexpand\unsetacronym{\@acrnmcmd}}{% +\noexpand\acronym{\the\@glo@tb}{% +\noexpand\acronymfont{\noexpand\expandafter\noexpand\MakeUppercase +\csname\@acrnmcmd @nx@short\endcsname}% +\noexpand\@acrnmins}}\noexpand\glsxspace} +\fi +}{% +\PackageError{glossary}{Command '\expandafter\string +\csname\@acrnmcmd\endcsname' already defined}{% +The command name specified by \string\newacronym already exists.}}} +\newcommand{\useacronym}{\@ifstar\@suseacronym\@useacronym} +\newcommand{\@suseacronym}[2][]{{\let\glsxspace\relax +\def\@acrnmins{#1}\csname @s@#2\endcsname}% +\setboolean{#2first}{false}} +\newcommand{\@useacronym}[2][]{{\let\glsxspace\relax +\def\@acrnmins{#1}\csname @#2\endcsname}% +\setboolean{#2first}{false}} +\newcommand{\acrln}{\@ifstar\@sacrln\@acrln} +\newcommand{\@acrln}[1]{\@ifundefined{#1long}{% +\PackageError{glossary}{Acronym '#1' has not been defined}{}}{% +\csname#1@nx@long\endcsname}} +\newcommand{\@sacrln}[1]{\@ifundefined{#1long}{% +\PackageError{glossary}{Acronym '#1' has not been defined}{}}{% +\expandafter\expandafter\expandafter +\MakeUppercase\csname#1@nx@long\endcsname}} +\newcommand{\acrsh}{\@ifstar\@sacrsh\@acrsh} +\newcommand{\@acrsh}[1]{\@ifundefined{#1short}{% +\PackageError{glossary}{Acronym '#1' has not been defined}{}}{% +\acronymfont{\csname#1@nx@short\endcsname}}} +\newcommand{\@sacrsh}[1]{\@ifundefined{#1short}{% +\PackageError{glossary}{Acronym '#1' has not been defined}{}}{% +\acronymfont{\expandafter\expandafter\expandafter +\MakeUppercase\csname#1@nx@short\endcsname}}} +\newcommand{\ifacronymfirstuse}[3]{% +\@ifundefined{if#1first}{% +\PackageError{glossary}{Acronym '#1' not defined}{}}{% +\ifthenelse{\boolean{#1first}}{#2}{#3}}} +\newcommand{\resetacronym}[1]{% +\@ifundefined{if#1first}{% +\PackageError{glossary}{Acronym '#1' not defined}{}}{% +\ifglsglobal +\expandafter\global\csname #1firsttrue\endcsname +\else +\setboolean{#1first}{true}% +\fi}} +\newcommand{\unsetacronym}[1]{% +\@ifundefined{if#1first}{% +\PackageError{glossary}{Acronym '#1' not defined}{}}{% +\ifglsglobal +\expandafter\global\csname #1firstfalse\endcsname +\else +\setboolean{#1first}{false}% +\fi}} +\newcommand{\resetallacronyms}{% +\@for\@acr:=\@acr@list\do{\resetacronym{\@acr}}} +\newcommand{\unsetallacronyms}{% +\@for\@acr:=\@acr@list\do{\unsetacronym{\@acr}}} +\ifglsacronym +\newglossarytype[alg]{acronym}{acr}{acn} +\providecommand{\acronymname}{List of Acronyms} +\else +\let\acronym=\glossary +\let\xacronym=\xglossary +\fi +\ifglshyper +\def\glshyper#1#2{\@glshyper{#1}#2\delimR \delimR \\} +\def\@glshyper#1#2\delimR #3\delimR #4\\{% +\ifx\\#3\\% +\@delimNhyper{#1}{#2}% +\else +\@ifundefined{hyperlink}{#2\delimR #3}{% +\hyperlink{#1.#2}{#2}\delimR \hyperlink{#1.#3}{#3}}% +\fi +} +\def\@delimNhyper#1#2{\@@delimNhyper{#1}#2\delimN \delimN\\} +\def\@@delimNhyper#1#2\delimN #3\delimN #4\\{% + \ifx\\#3\\% + \@ifundefined{hyperlink}{#2}{\hyperlink{#1.#2}{#2}}% + \else + \@ifundefined{hyperlink}{#2\delimN #3}{% +\hyperlink{#1.#2}{#2}\delimN \hyperlink{#1.#3}{#3}}% + \fi +} +\newcommand\glshyperpage[1]{\glshyper{page}{#1}} +\newcommand\glshypersection[1]{\glshyper{section}{#1}} +\@ifundefined{chapter} +{} +{\let\@gls@old@chapter\@chapter +\def\@chapter[#1]#2{\@gls@old@chapter[{#1}]{#2}% +\@ifundefined{hyperdef}{}{\hyperdef{section}{\thesection}{}}}} +\providecommand\hyperrm[2][\gls@number]{% +\textrm{\glshyper{#1}{#2}}} +\providecommand\hypersf[2][\gls@number]{% +\textsf{\glshyper{#1}{#2}}} +\providecommand\hypertt[2][\gls@number]{% +\texttt{\glshyper{#1}{#2}}} +\providecommand\hyperbf[2][\gls@number]{% +\textbf{\glshyper{#1}{#2}}} +\providecommand\hyperit[2][\gls@number]{% +\textit{\glshyper{#1}{#2}}} +\providecommand\hyperem[2][\gls@number]{% +\emph{\glshyper{#1}{#2}}} +\providecommand\hyperup[2][\gls@number]{% +\textup{\glshyper{#1}{#2}}} +\providecommand\hypersl[2][\gls@number]{% +\textsl{\glshyper{#1}{#2}}} +\providecommand\hypersc[2][\gls@number]{% +\textsc{\glshyper{#1}{#2}}} +\providecommand\hypermd[2][\gls@number]{% +\textmd{\glshyper{#1}{#2}}} +\else +\providecommand\hyperrm[2][]{\textrm{#2}} +\providecommand\hypersf[2][]{\textsf{#2}} +\providecommand\hypertt[2][]{\texttt{#2}} +\providecommand\hypermd[2][]{\textmd{#2}} +\providecommand\hyperbf[2][]{\textbf{#2}} +\providecommand\hyperit[2][]{\textit{#2}} +\providecommand\hypersl[2][]{\textsl{#2}} +\providecommand\hyperup[2][]{\textup{#2}} +\providecommand\hypersc[2][]{\textsc{#2}} +\providecommand\hyperem[2][]{\emph{#2}} +\fi +\endinput +%% +%% End of file `glossary.sty'. diff --git a/thesis_submission/mybib.bib b/submission_thesis/mybib.bib similarity index 100% rename from thesis_submission/mybib.bib rename to submission_thesis/mybib.bib diff --git a/submission_thesis/titlepage/titlepage.tex b/submission_thesis/titlepage/titlepage.tex new file mode 100644 index 0000000..013323c --- /dev/null +++ b/submission_thesis/titlepage/titlepage.tex @@ -0,0 +1,43 @@ + +% Title page +% ---------- +% +%\middlefoot{ } % No page number on title page +\begin{center} + +\pagenumbering{roman} % Lower case roman page numbers +{\LARGE \bf Failure Mode Modular De-Composition } + +\vspace{2.15in} + +{ \bf A mathematical methodology to model and analyse safety critical integrated mechanical/electronic/software systems } + +\vspace{1.15in} + +{\LARGE \bf Brighton University } + +\vspace{0.3in} + +{\bf PhD Thesis} + +\vspace{1.0in} + +{\large Version 1.0 \today } + +\vspace{0.2in} +{\large Author : R.P. Clark - 2010 } + +\end{center} + +\vspace{1.0in} +\begin{verbatim} + Robin Clark + 68 Vale Avenue, + Brighton, + East Sussex + +\end{verbatim} + + + +% diff --git a/thesis_submission/vmgbibliography.bib b/submission_thesis/vmgbibliography.bib similarity index 100% rename from thesis_submission/vmgbibliography.bib rename to submission_thesis/vmgbibliography.bib diff --git a/thesis_submission/CH1_introduction/copy.tex b/thesis_submission/CH1_introduction/copy.tex deleted file mode 100644 index fc3503d..0000000 --- a/thesis_submission/CH1_introduction/copy.tex +++ /dev/null @@ -1,762 +0,0 @@ - -% -% Structure to introduction -% -% -% Application Area - safety critical controllers - define safety critical - describe -% approval processes - describe static testing -% -% Now start looking at the philosophy of making PEC's -% safer. Describe what can and cannot be done. -% -% Point out errors in currently used techniques. -% Bottom-up vs. top down discussion -% -% No current common notation for static testing that models both software and hardware -% -% How a new methodology should plug these gaps -% -% - -\section{Introduction} - -%% $$ \int_{0\-}^{\infty} f(t).e^{-s.t}.dt \; | \; s \in \mathcal{C}$$ - - -\paragraph{Scope of thesis} -This thesis describes the application of, a common notation mathematical notation to -describe the design of safety critical systems/PEC's from the perspective of failure modes. -The initial motivation for this study was to create a system -applicable to industrial burner controllers\footnote{Burner Controllers cover the disciplines of -combustion, high pressure steam and hot water, mechanical control, electronics and embedded software.}. -The methodology developed was designed to cope with -both the deterministic\footnote{Deterministic failure mode analysis, traces failure mode effects at the SYSTEM level to lower level causes in components or sub-systems.} and probablistic approaches -\footnote{Probabilistic failure mode analysis tries to determine the probability of given SYSTEM failure modes, and from these -can determine an overall failure rate, in terms of probability of failure on demand, or failure in time (or Mean Time to Failure (MTTF).}. -\glossary{name={safety critical},description={A safety critical system is one in which its failure may result in death or serious injury to humans, an environmental catastrophe or severe loss or damage}} -\fmodegloss -\pecgloss - - -\paragraph{Initial Perspective for thesis} -My initial work on this area~\cite{robin-paper2004} was to use Euler/Spider~\cite{spider} -diagrams to represent failure modes. Euler circles represented failure modes, the feet of the spiders represented test cases -(i.e. instances of the failure mode occurring for examination), -and could therefore model multiple failure modes -and the spiders (or joining lines) represented the symptom abstraction process. -A spider thus determined a common symptom which was caused by one or mode component failure modes. -% At the 6 year point in this part time PhD I was finally appointed an electrical engineer. -% and the process of writing a paper for presentation as a result of this -% di-graphs instead were chosen. -As a by-product of writing a paper~\cite{iet2011}, it became apparent -that we could -%it was decided to -restrict the scope of the thesis to modularising FMEA -processes, and to restrict the examples examined to the domain of electronics only. -\footnote{Because FMEA deals with failure modes, in a static context---and all base components, whether mechanical, electrical -or software always have sets of failure modes associated with them---it should -be possible to apply it across all domains, and thus model integrated mechanical/electrical/software systems.} -The initial motivation to use spider diagrams, was that they presented a formal -language in an intuitive and easy to use visual representation. -Work on represnting failure modes, test cases and symptoms of failure -has been placed in appendix~\ref{spiderfmmd}. - -\paragraph{Safety Critical Controllers, knowledge and culture sub-disiplines} -The maturing of the application of the programmable electronic controller (PEC) -for a wide range safety critical applications, has led to a fragmentation of sub-disciplines -which speak imperfectly to one another. -This is because -the main three engineering disciplines, Electrical, Software and Mechanical Engineering -produced equipment that was interfaced a a later time. -Just as electronic circuitry becomes more integrated, and sub-domains -of electrical engineering (analog and digital for instance) are commonly found along-side on the same chip, -so modern PEC's are becoming more and more integrated and now typically encompass -input from the three engineering disciplines\footnote{Consider an aircraft, this involves expert knowledge from -Software, Electronic and Mechanical Engineering and requires a high degree of safety validation}. - -Additional disiplines are defined by application area of the PEC. All of these sub-disciplines -are in turn split into even finer units. -The practitioners of these fields tend to view a PEC in different ways. -Discoveries and culture in one field diffuse only slowly into the consciousness of a specialist in another. -Too often, one discipline's unproven assumptions or working methods, are treated as firm boundary conditions -for an overlapping field. -For failure mode analysis a common notation, across disciplines is a very desirable and potentially useful -tool. - -\paragraph{Safety Assessment/analysis of PEC's} -\glossary{name={safety assessment},description={A critical appraisal, typically following legal or formal guidelines, which will encompass design, and failure effects analysis}} -For a anyone responsible for ensuring or proving the safety of a PEC must be able -to understand the process being controlled, the mechanical and electrical -sensors and actuators and the software. Not only must the -safety engineer understand more than four potential disciplines, he/she -must be able to trace failure modes of components to SYSTEM levels failure modes, -and classify these according to their criticality. - -\paragraph{Desire to introduce formal methods to static failure mode analysis} -There has been much work introducing formal methods into -the requirements and validation phases of electromechanical systems. -Apart from the ability to check, precisely, that what ha been -build behaves correctly and as requested, the process -of formal specification ensures that all important details are analysed -and looked at in detail. -It is an aim of this project to bring formal methods to -static failure mode analysis. This means being able to account for every base -component failure mode in a model, and to be able to represent -mechanical, electrical and software components in a single failure mode model. - -\paragraph{Desirability of a common failure mode notation} -Having a common failure mode notation across all disciplines in a project -would allow all the specialists to prepare failure mode -analysis and then bring them together to model the PEC. -\paragraph{Visual form of the notation} -The visual notation developed was initially designed for electronic fault modelling. -This notation deals with failure modes of components using concepts derived from -Euler and Spider diagrams. -However, as the notation dealt with generic failure modes, it was realised that it could be applied to -mechanical and software domains as well. -This changed the target for the study slightly to encompass these three domains in a common notation. - -\paragraph{PEC's: Legal and Insurance Issues} -In most safety critical industries the operators of plant have to demonstrate a through consideration of safety. -There is also usually a differentiation between the manufacturers -and the the plant operators. - -The manufacturers have to ensure -that the device is adequately safe for use in its operational context. -This usually means conforming to device specific standards~\footnote{in Europe, conformance to European Norms (EN) are legal requirements -for specific types of controllers, and in the USA conformance to Underwriters Laboratories (UL) standards -are usually a minimum requirement to take out insurance}, and offering training -of operators. - -Operators of safety critical plant are concerned with maintenance and legal obligations for -periodic safety checks (both legal and insurance driven). - -\section{Background} - -I completed an MSc in Software engineering in 2004 at Brighton University while working for -an Engineering firm as an embedded `C' programmer. -The firm specialise in industrial burner controllers. -Industrial Burners are potentially very dangerous industrial plant. -They are generally left running unattended for long periods. -They are subject to stringent safety regulations and -must conform to specific `EN' standards. - -For a non-safety critical product one can merely comply with the standards, and `self~certify' by applying a CE mark sticker. -Safety critical products are categorised and listed. These require -certification by an independent and `competent body' recognised under European law. -The certification process typically involves stress testing with repeated operation cycles -over a specified a range of temperatures, electrical stress testing with high voltage interference, -power supply voltage ranges with surges and dips, electro static discharge testing, and -EMC (Electro Magnetic Compatibility). A significant part -of this process however, is `static testing'. This involves looking at the design of the products, -from the perspective of environmental stresses, natural input fault conditions\footnote{For instance in a burner controller, the gas supply pressure reducing}, -components failing, and the effects on safety this could have. -Some static testing involves checking that the germane `EN' standards have -been complied with\footnote{for instance protection levels of an enclosure for the device, or down rating of electrical components}. -Failure Mode Effects Analysis (FMEA) was also applied. This involved -looking in detail at selected critical sections of the product and proposing -component failure scenarios. -For each failure scenario proposed either a satisfactory -answer was required, or a counter proposal to change the design to cope with -a theoretical component failure eventuality. -FMEA was time consuming, and being directed by -experts undoubtedly ironed out many potential safety faults before the product saw -light of day. -However it was quickly apparent that only a small proportion -of component~failure modes was considered\footnote{The small proportion of components chosen for approvals FMEA -were generally those in critical sections of the PEC}. Also there was no formalism. -The component~failure~modes investigated were not analysed within -any rigorous or mathematically proven framework. - -\subsection{ Blanket Risk Reduction Approach } - -The suite of tests applied for a certified product amount to a `blanket' approach. -That is to say that by applying electrical, repeated operations, and environmental -stress testing it is hoped that the majority of latent faults are discovered. -The FMEA and static testing only looked at the most obviously safety critical -aspects, and a small minority of the total component base for a product. -Systemic faults, or mistakes are missed by this form of static testing. - -\subsection{Possibility of applying mathematical techniques to FMEA} - -My MSc project was a diagram editor for Constraint diagrams. -I wanted to apply constraint diagram techniques to FMEA -and began thinking about how this could be done. One -obvious factor was that a typical safety critical system could -have more than 1000 component parts. Each component -would typically have several failure modes. -Trying to apply a rigorous methodology on an entire product -was going to be impractical. To do this with complete coverage -each component failure mode would have to have been checked against -the other thousand or so components for influence, and then -a determination of the effects on the system would have had to have been -made. Thus millions of checks would have to have been performed, and -as FMEA is an `expert only' time consuming technique, this idea was -obviously impractical. Note that most of the checks made would be redundant. -Most components affect the performance of a few that they are placed to work with -to perform some particular low-level function. - -\paragraph{Top down Approach} -A top down approach has several potential problems. -By its nature it means that at the start of the process -a set of system or top level faults or undesirable outcomes are defined. -It then must break the system down into modules and -decide which of these can contribute to a system level fault mode. -Potentially failure modes, be they from components or the interaction -between modules can be missed. A disturbing example of this -is the NASA space shuttle in 1986, which missed the fault mode of an O -ring. This was made even worse, by the fact that the `O' ring had a specified temperature -range where the probability of this fault occurring was dramatically raised when below -the temperature range. This was a known and documented feature of a safety critical component -and it was ignored in the safety analysis. - -\paragraph{Bottom-up Approach} -A bottom-up approach looked impractical at first due to the sheer number -of component failure modes in a typical system. -However were this bottom-up approach to be modular, (reducing the order of cross checking), and build a hierarchal -of modules rising up until all components are covered, we -can model an entire complex system. -This is the core concept behind this study. -By working from the bottom up, at the lowest level taking the -smallest functional~groups of components -and analysing these, we can obtain a set of failure modes -for the functional~groups. We can then treat these -as `higher level' components and combine them -to form new `functional~groups'. -In this way all failure modes from all components must be at the very least considered. -Also a hierarchy is formed when the top level errors are formed -naturally from the lower levels of analysis. -Unlike a top~down analysis, we cannot miss a top level fault condition. - -\paragraph{Repeated Circuitry Sub-Systems} - -In all safety critical real time systems the author has worked with -all have repeated sections of hardware. -for instance self checking digital inputs, analog inputs, sections of circuitry to -generate {\ft} loops, micro-processors with watchdog~\cite{embupsys}[pp.81] secondary -circuity. -In other words spending time on analysing these lower level sub-systems -seems worthwhile, since they will be used in many designs, and are often -repeated within a SYSTEM -(and thus the analysis results may be re-used). - -In general terms we can describe -these circuitry sub-systems -as collections of components or smaller sub-systems, that interact to perform a given function. -We can call these collections {\fg}s. - - -In these `safety critical' circuitry sections, especially ones claiming to -be self-checking, the actual level of safety depends upon not -just the MTTF/reliability of the components, but the -{\fg}s reaction to a component failure -within the ciruit. - -That is to say how the circuit section or {\fg} -reacts to component failures within it. -We may find for instance that the circuit reacts to most component failure modes -in ways that we can detect that there has been a failure. - -Some can component failure modes in the {\fg} can lead to serious errors, such as an incorrect reading -that we cannot immediately detect. -% -We will, if these specific component -failures occur, not know and feed incorrect data into our system. -% -Figure \ref{fig:millivolt} shows a typical industrial -circuit to measure and amplify millivolt signals. -It will detect a disconnected Milli-volt source (the most common -failure, and usually due to wiring faults) and some other internal component failures. -It can however provide an incorrect (slightly low reading) if -one of two resistors fail in particular ways. -% Although statistically unlikely, in a very critical system -% this may have to be considered. - -To the author, it seems that paying attention -to the way {\fg}s of components interact and proving -a safety case for them is a very important aspect -of detecting `undetected failures' in safety critical product design. - -\paragraph{Multi-disipline} Most safety critical systems are composed of mechanical, electrical and -computing elements. A tragic example of the mechanical and electrical elements -interfacing to a computer is found in the THERAC25 x-ray dosage machine. -With no common notation to integrate the safety analysis between the electrical/mechanical and computing -domains, synchronisation errors occurred that were in some cases fatal. -The interfacing between the hardware and software for the THERAC-25 was not considered -in the design phase. -Niel Story in the formal methods chapter of "safety critical computer systems" -describes the different formal languages suitable for hardware and software and -bemaons the fact that no single language is suitable for for such a broad range of tasks \cite{sccs}[pp. 287]. - -\paragraph{Requirements for a rigorous FMEA process} -It was determined that any process to apply -FMEA in rigorous and complete (in terms of complete component coverage) had to be -a bottom~up process to eliminate the possibility of missing component failure modes. -It also had to naturally converge to a failure model of the system. -It had to take potentially thousands of component failure modes and simplify -these into system level errors. -To analyse the large number of component failure modes, and resolve these to perhaps a handful -of system failure modes, would require -a process of modularisation from the bottom~up. - -\begin{list}{$*$}{} -\item The analysis process must be `bottom~up' -\item The process must be modular and hierarchical -\item The process must be multi-discipline and must be able to represent hardware, electronics and software -\end{list} - -\section{Safety Critical Systems} -\glossary{name={safety critical},description={A safety critical system is one in which its failure may result in death or serious injury to humans, an environmental catastrophe or severe loss or damage}} -% -%How safe is "safe"? -%The word "safety" is too general—it really doesn't mean anything definitive. Therefore, we use terms such as safety-related and safety-critical. -% -%A safety-related device provides or ensures safety. It is required for machines/vehicles, which cause bodily harm or death to human being when they fail. A safe state can be defined (in other words, safety-related). In case of a buzz saw, this could be a motor that seizes all movements immediately. The seizure of movement makes the machine safe at that moment. IEC 61508 defines the likelihood of failures of this mechanism, the Safety Integrity Levels (SIL). SIL 3 is defined as the likelihood of failing less than 10-7% per hour. This is a necessary level of safety integrity for products such as lifts, where several people's lives are endangered. The buzz saw is likely to require SIL 2 only, it endangers just one person. -% -%Safety-critical is a different matter. To understand safety-critical imagine a plane in flight: it is not "safe" to make all movement stop since that would make the plane crash. A safe state for a plane is in the hangar, but this is not an option when you're in flight. Other means of ensuring safety must be found. One method used in maritime applications is the "CANopen flying master" principle, which uses redundancy to prevent failure. For the above example an SIL 4, meaning likelihood of failing less than 10-8% per hour is necessary. This is also true for nuclear power station control systems, among other examples. -% -\subsection{General description of a Safety Critical System} - -A safety critical system is one in which lives may depend upon it or -it has the potential to become dangerous\cite{sccs}. -%(/usr/share/texmf-texlive/tex/latex/amsmath/amstext.sty) - -%An industrial burner is typical of plant that is potentially dangerous. -%An incorrect air/fuel mixture can be explosive. -%Medical electronics for automatically dispensing drugs or maintaining -%life support are examples of systems that lives depend upon. - -\subsection{Two approaches : Probabilistic, and Deterministic} - -There are two main philosophies applied to safety critical systems certification. -\paragraph{Probablistic safety Measures} -One is a general number of acceptable failures per hour\footnote{The common metric is Failure in Time (FIT) values - failures per ${10}^{9}$ -hours of operation} of operation or -a given statistical failure on demand. -This is the probablistic approach and is embodied in the European Standard -EN61508 \cite{en61508} (international standard IOC1508). -\glossary{name={deterministic},description={Deterministic in the context of failure mode analysis, traces the causes of SYSTEM level events to base level component failure modes}} -\glossary{name={probablistic},description={Probablistic in the context of failure mode analysis, traces the probability of base level failure modes causing of SYSTEM level events/failure modes}} -\fmodegloss -\paragraph{Deterministic safety Measures} -The second philosophy, applied to application specific standards, is to investigate -components for sub-systems in the critical safety path and to look at component failure modes -and ensure that they cannot cause dangerous faults. -%With the application specific standards detail -%specific to the process are -The simplest deterministic safety measure is to require that no single component failure -mode can cause a dangerous error. -This philosophy is first mentioned in aircraft safety operation reseach (WWII) -studies. Here potential single faults (usually mechanical) were traced to -catastrophic failures \cite{boffin}. -EN298, the European Gas burner standard, goes further than this -and requires that no two single component faults may cause -a dangerous condition. - - -% -% \begin{example} -% \label{exa1} -% Test example -% \end{example} -% -% And that is example~\ref{exa1} - -\subsection{Overview of regulation of safety Critical systems} - -Reference chapter dealing specifically with this but given a quick overview. -\subsubsection{Overview system analysis philosophies } -- General safety standards -- specific safety standards - -\subsubsection{Overview of current testing and certification} -Ref chapter specifically on this but give an overview now - -A modern industrial burner has mechanical, electronic and software -elements, that are all safety critical. That is to say -unhanded failures could create dangerous faults. - -%To add to these problems -%Operators are often under pressure to keep them running. An boiler supplying -%heat to a large greenhouse complex could ruin crops -%should it go off-line. Similarly a production line relying on heat or steam -%can be very expensive in production down-time should it fail. -%This places extra responsibility on the burner controller. -% -% - -% This needs to become a chapter -%\subsection{Mechanical components} -%describe the mechanical parts - gas valves damper s -%electronic and software -%give a diagram of how it all fits A -%together with a -%\subsection{electronic Components} -% -%\subsection{Software/Firmware Components} -% -% -%\subsection{A high level Fault Hierarchy for an Industrial Burner} -% -%This section shows the component level, leading up higher and higher in the abstraction level -%to the software levels and finally a top level abstract level. If the system has been -%designed correctly no `undetected faults' should be present here. -% -\section{An Outline of the FMMD Technique} -{\fmmdgloss} -%\glossary{name={FMMD},description={Failure Mode Modular De-Composition}} -The FMMD methodology takes a bottom up approach to -the design of an integrated system. -% -Each component is assigned a well defined set of failure modes. -The system under inspection is then searched for functional groups of components that -perform simple well defined tasks. -These functional groups are analysed with respect to the failure modes of the -components. -% -The `functional group', after analysis, has its own set of derived -failure modes. -\fmodegloss -% -The number of derived failure modes will be -less than or equal to the sum of the failure modes of all its components. -% -% -A `derived' set of failure modes, is at a higher abstraction level. -% -Thus we can now treat our `functional group' as a component in its own right, -with its own set of failure~modes. We can create -a `derived component' and assign it the derived failure modes as analysed from the `functional group'. -% -Derived Components may now be used as building blocks, to model the system at -ever higher levels of abstraction, building a hierarchy until the top level is reached. -% -Any unhandled faults will appear at this top level and will be `un-resolved'. -A formal description of this process is dealt with in Chapter \ref{fmmddefinition}. -% -% -%This principally focuses -%on simple control systems for maintaining temperature -%and for industrial burners. It is hoped that a general mathematical -%framework is created that can be applied to other fields of safety critical engineering. -\subsection{Automated Systems and Safety} - -Automated systems, as opposed to manual ones are now the norm -in the home and in industry. -% -Automated systems have long been recognised as being more efficient and -more accurate than a human operator, and the reason for automating a process -can now be more likely to be cost savings due to better efficiency -than a not paying a salary to a human operator \ref{burnereffency}. -% -For instance -early automated systems were mechanical, with cams and levers simulating -control functions. -% -A typical control function could be the -fuel air mixture profile curves over a the firing range. -% -Because fuels vary slightly in calorific value, and air density changes with the weather, no optimal tuning can be optional. -In fact for aesthetic reasons (not wanting smoke to appear at the flue) -the tuning was often air rich, causing air to be heated and -unnecessarily passed through the burner, leading to direct loss of energy. -An automated system analysing the combustion gases and automatically -adjusting the fuel air mix can get the efficiencies very close to theoretical levels. - - -As the automation takes over more and more functions from the human operator it also takes on more responsibility. -A classic example of an automated system failing, is the therac-25. -This was an X-ray/electron~beam dosage machine, that, due to software errors -caused the deaths of several patients and injured more during the 1980's. -The Therac-25 was a designed from a manual system, which had checks and interlocks, -and was subsequently computerised. Software safety interlock problems were the primary causes of the radiation -overdoses. -\cite{safeware}[App. A] -Any new safety critical analysis methodology should -be able to model software, electrical and hardware faults using -a common notation. -Ideally the tool should be automated so that it can -seamlessly analyse the entire system, and apply -rigorous checking to ensure that no -fault conditions are missed. - - -% http://en.wikipedia.org/wiki/Autopilot -\paragraph{Importance of self checking} -To take an example of an Aircraft Autopilot, simple early devices\footnote{from the 1920's simple aircraft autopilots were in service}, -prevented the aircraft straying from a compass bearing and kept it flying straight and level. -Were they to fail the pilot would notice quite quickly -and resume manual control of the bearing. - -Modern autopilots control all aspects of flight including the engines, take off and landing phases. -The automated system do not have the -common sense of a human pilot; and if fed the incorrect sensory information -can make horrendous mistakes. This means that simply reading sensors and applying control -corrections cannot be enough. -Checking for error conditions must also be incorporated. -Equipment can also develop an internal faults, and strategies -must be in-place to firstly recognise internal faults, -and then cope with them in the safest possible way. - -\begin{figure}[h] - \centering - \includegraphics[width=300pt,keepaspectratio=true]{introduction/mv_opamp_circuit.png} - % mv_opamp_circuit.png: 577x479 pixel, 72dpi, 20.35x16.90 cm, bb=0 0 577 479 - \caption{Milli-Volt Amplifier with added Safety Resistor (R18)} - \label{fig:millivolt} -\end{figure} - -% \begin{figure}[h] -% \centering -% \includegraphics[width=300pt,bb=0 0 678 690,keepaspectratio=true]{introduction/mv_opamp_circuit.png} -% % mv_opamp_circuit.png: 678x690 pixel, 72dpi, 23.92x24.34 cm, bb=0 0 678 690 -% \caption{Milli-volt amplifier with added safety Resistor} -% \label{fig:millivolt} -% \end{figure} - -% -% %5 -% \begin{figure} -% \vskip 7cm -% \special{psfile=introduction/millivoltsensor.ps hoffset=0 voffset=0 hscale=35 vscale=35 }\caption[Milli-Volt Sensor with safety resistor]{ -% Milli-Volt Sensor with safety resistor -% \label{fig:millivolt}} -% \end{figure} - - - -\paragraph{Component added to detect errors} -The op-amp in the circuit in figure \ref{fig:millivolt}, supplies a gain of $\approx 184$ \footnote{ -applying formula for non-inverting op-amp gain\cite{aoe} $\frac{150 \times 10^3}{820}+ 1 \approx 184$ }. -The safety case here is that -any amplified signal between a range say, of 0.5 and 4 volts on the ADC will be considered in range. -This means that between 3mV and 21mV on the input correctly amplified -can be measured.\footnote{this would be a typical thermocouple amplifier circuit where milli-volt signals -are produced by the Seebeck effect\cite{aoe}} -Should the sensor become disconnected the input will drift up due to the safety resistor $R18$. -This will cause the opamp to supply its maximum voltage, telling the system the sensor reading is invalid. -Should the sensor become shorted, the input will fall below 3mV and the op amp will -supply a voltage below 0.5. Note that the sensor breaking and becoming open, or -becoming disconnected is the `Raison d'être' of this safety addition. -This circuit would typically be used to amplify a thermocouple, which typically -fails by going open circuit. -It {\em does} -detect several other failure modes of this circuit and a full analysis is given in appendix \ref{mvamp}. -\fmodegloss -% Note C14 shorting is potentially v dangerous could lead to a high output by the opamp being seen as a -% low temperature. - -% -\paragraph{Self Checking} -This introduces a level of self checking into the system. -Admittedly this is the simplest failure mode scenario (that the -sensor is not wired correctly or has become disconnected). -% -This safety resistor has a side effect, it also checks for internal errors -that could occur in this circuit. -Should the input resistor $R22$ go OPEN this would be detected. -Should the gain resistors $R30$ or $R26$ go OPEN or SHORT a fault condition will be detected. -% -\paragraph{Not rigorous, but tested by time} -This is a typical example of an industry standard circuit that has been -thought through, and in practise works and detects most commonly encountered failure modes. -But it is not rigorous: it does not take into account every failure -mode of every component in it. - -However it does lead on to an important concept of three main states of a safety critical system. -% -\paragraph{Working, safe fault mode, dangerous fault mode} -We can say that a safety critical system may be said to have three distinct -overall states. -Operating normally, operating in a safe mode with a fault, and operating -dangerously with a fault. -% -The main role of the system designers of safety critical equipment should be -to reduce the possibility of this last condition. - -% Software plays a critical role in almost every aspect facet of our daily lives - from , to driving our cars, to working in our offices. -% Some of these systems are safety-critical. -% Failure of software could cause catastrophic consequences for human life. -% Imagine the antilock brake system (ABS) in your car. -% A software failure here could render the ABS inoperable at a time when you need it most. -% For these types of safety-critical systems, having guidelines that define processes and -% objectives for the creation of software that focus on software quality, or the ability -% to use software that has been developed under this scrutiny, has tremendous value -% for developers of safety-critical systems. - -\section{Motivation for developing a formal methodology} - -A feature of some newer safety critical systems standards, -including the gas burner standard EN298~\cite{en298}[Section 9] -is to demand, -at the very least that single failures of hardware - or software cannot -create an unsafe condition in operational plant. Further to this -a second fault introduced, must not cause an unsafe state, due -to the combination of both faults. -\vskip 0.3cm -This sounds like an entirely reasonable requirement. But to rigorously -check the effect a particular component fault has on the system, -we could check its effect on all other components. -Should a diode in the power supply fail in a particular way, by perhaps -introducing a ripple voltage, we should have to look at all components -in the system to see how they will be affected. - -%However consider a typical -%small system with perhaps 1000 components each -%with an average of say 5 failure modes. -Thus, to ensure complete coverage, each of the effects of - the failure modes must be applied - to all the other components. -Each component must be checked against the - failure modes of all other components in the system. -Mathematically with components as 'c' and failure modes as 'Fm'. - - -\equation -\label{crossprodsingle} -checks = \{ \; (Fm,c) \; \mid \; \stackrel{\wedge}{c} \; \neq \; c \} -\endequation - -Where demands -are made for resilience against two -simultaneous failures this effectively squares the number of checks to make. -\equation -\label{crossproddouble} -doublechecks = \{ \; (Fm_{1},Fm_{2},c) \; \mid \\ \; c_{1} \; \neq \; c_{2} \; \wedge \; Fm_{1} \neq Fm_{2} \; \} -\endequation - - -If we consider a system which has a total of -$N$ failure modes (see equation \ref{crossprodsingle}) this would mean checking a maximum of -\equation - NumberOfChecks = \frac{N ( N-1 )}{2} -\endequation - -for individual component failures and their effects on other components when they fail. -For a very small system with say 1000 failure modes this would demand a potential of 500,000 - checks for any automated checking process. -\vskip 0.3cm - European legislation\cite{en298} directs that a system must be able to react to two component failures -and not go into a dangerous state. -\vskip 0.3cm -This raises an interesting problem from the point of view of formal modelling. Here we have a binary cross product of all components -(see equation \ref{crossproddouble}). -This increases the number of checks greatly. Given that the binary cross product is $ (N^{2} - N)/2 $ and has to be checked against the remaining -$(N-2)$ components. -\equation -\label{numberofchecks} - NumberOfchecks = \frac{(N^{2} - N) ( N - 2)}{2} -\endequation - -Thus for a 1000 failure mode system, roughly a half billion possible checks would be required for the double simultaneous failure scenario. -This astronomical number of potential combinations, has made formal analysis of this -type of system, up until now, impractical. Fault simulators %\cite{sim} -are commonly used for the gas certification process. Thus to -manually check this number of combinations of faults is in practise impossible. -A technique of modularising, or breaking down the problem is clearly necessary. - -\section{Famous Examples of disasters caused by missed component errors} - -\subsection{Challenger Disaster} - -One question that anyone developing a safety critical analysis design tool -could do well to answer, is how the methodology would cope with known previous disasters. -The Challenger disaster is a good example, and was well documented and investigated~\cite{challenger}. - -The problem lay in a seal that had an operating temperature range. -On the day of the launch the temperature of this seal was out of range. -A bottom up safety approach would have revealed this as a fault. - -The FTA in use by NASA and the US Nuclear regulatory commission -allows for environmental considerations such as temperature\cite{nasafta}\cite{nucfta}. -But because of the top down nature of the FTA technique, the safety designer must be aware of -the environmental constraints of all component parts in order to use this correctly. -This element of FTA is discussed in \ref{surveysc} - -\subsection{Therac 25} - -The therac-25 was a computer controlled radiation therapy machine, which -overdosed 6 people between 1985 and 1987. -An earlier computerised version of the therac-25 (the therac-20) used the same software but kept the -hardware interlocks from the previous manual operation machines. The hardware interlocks -on the therac-20 functioned correctly and the faulty software in it caused no accidents. -A safety study for the device, using Fault Tree Analysis % \cite{nucfta} -carried out in 1983 -excluded the software \cite{safeware}[App. A]. - - -\section{Practical problems in using formal methods} -%% Here need more detail of what therac 25 was and roughly how it failed -%% with refs to nancy -%% and then highlight the fact that the safety analysis did not integrate software and hardware domains. - -\subsection{Problems with Natural Language} - -Written natural language descriptions can not only be ambiguous or easy to misinterpret, it -is also not possible to apply mathematical checking to them. - -A mathematical model on the other hand can be checked for -obvious faults, such as tautologies and contradictions, but also -intermediate results can be extracted and these checked. - -Mathematical modeling of systems is not new, the Z language -has been used to model physical and software systems\cite{ince}. However this is not widely -understood or studied even in engineering and scientific circles. -Graphical techniques for representing the mathematics for -specifying systems, developed at Brighton and Kent university -have been used and extended by this author to create a methodology -for modelling complex safety critical systems, using diagrams. - -This project uses a modified form of Euler diagram used to represent propositional logic. -%The propositional logic is used to analyse system components. - - -\section{Determining Component Failure Modes} -\subsection{Electrical} -Generic component failure modes for common electrical parts can be found in MIL1991. -Most modern electrical components have associated data sheets. Usually these do not explicitly list -failure modes. -% watch out for log axis in graphs ! -\subsection{Mechanical} -Find refs -\subsection{Software} -Software must run on a microprocessor/micro-controller, and these devices have a known set of failure modes. -The most common of these are RAM and ROM failures, but bugs in particular machine instructions -can also exist. -These can be checked for periodically. -Software bugs are unpredictable. -However there are techniques to validate software. -These include monitoring the program timings (with watchdogs~\cite{embupsys}[pp.81] and internal checking) -applying validation checks (such as independent functions to validate correct operation). - - - -\subsection{Environmentally determined failures} - -Some systems and components are guaranteed to work within certain environmental constraints, -temperature being the most typical. Very often what happens to the system outside that range is not defined. - - - -\section{Project Goals} - -\begin{itemize} -\item To create a Bottom up FMEA technique that permits a connected hierarchy to be -built representing the fault behaviour of a system. -\item To create a procedure where no component failure mode can be accidentally ignored. -\item To create a user friendly formal common visual notation to represent fault modes -in Software, Electronic and Mechanical sub-systems. -\item To formally define this visual language in concrete and abstract domains. -\item To prove that the derived~components used to build the hierarchies -provide traceable fault handling from component level to the -highest abstract system 'top level'. -\item To formally define the hierarchies and procedure for building them. -\item To produce a software tool to aid in the drawing of diagrams and -ensuring that all fault modes are addressed. -\item to provide a data model that can be used as a source for deterministic and probabilistic failure mode analysis reports. -\item To allow the possibility of MTTF calculation for statistical -reliability/safety calculations. -\end{itemize} - -