From 7a3fb7549d3cf6a78fb39e1338ff119ce6207a9f Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Sat, 8 Sep 2012 21:41:34 +0100 Subject: [PATCH] Started on Chapter 5 --- submission_thesis/CH4_FMMD/copy.tex | 10 +- submission_thesis/CH5_Examples/copy.tex | 1249 +++------------------ submission_thesis/CH6_Evaluation/copy.tex | 955 +++++++++++++++- 3 files changed, 1126 insertions(+), 1088 deletions(-) diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 7629ef1..4e8b4fa 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -972,7 +972,7 @@ represents the failure mode behaviour of the non-inverting amplifier. % HTR 05SEP2012 \end{figure} % % -We can represent the analysis sstages of INVAMP as an Euler diagram, +We can represent the analysis stages of INVAMP as an Euler diagram, showing the choice of de-composition of the system into {\fgs}.} %where the curves %define the components and {\dcs} used to form the INVAMP model, see figure~\ref{fig:eulerfmmd}. @@ -1507,13 +1507,14 @@ directly to system level failure. The reasoning given is typically one line on a spreadsheet entry~\cite{sccs}[p.38]. % (if we are lucky!). % FMMD typically has several reasoning stages from {\dc} {\fms} to system level failure modes. +% Thus, each possible cause for a system {\fm} will have a collection of analysis reports associated with it. % These collections of analysis reports will provide a cause and effect story for each possible scenario that could cause the system level failure. % -This increases the traceability---or documented paper trail---for the understanding of the -failure event causes. +This increases the traceability---or documented paper trail---for the understanding the +failure event causes and potentially for use in diagnostics. % We may now use the {\em INVAMP} {\dc} in even higher level {\fgs}. @@ -2139,3 +2140,6 @@ The abstraction level concept is formally defined in section~\ref{sec:abstractio +\section{Conclusion} + +Tie into wish list at end of chapter 3. \ No newline at end of file diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 4b81699..34dbe37 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -17,34 +17,40 @@ a variety of typical embedded system components including analogue/digital and e %Each example has been chosen to demonstrate %FMMD applied to % -The first section~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs} +The first section +~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs} (in the context of the safety standards we are conforming to for our particular project). % -This is followed by several example FMMD analyses, the first analysing a common configuration of +This is followed by several example FMMD analyses, +the first analysing a common configuration of the inverting amplifier (see section~\ref{sec:invamp}) using an op-amp and two resistors, which demonstrates how the potential divider from section~\ref{subsec:potdiv} -%~\ref{sec:chap4} -can be re-used, but with provisos. +~\ref{sec:chap4} +can be re-used. %, but with provisos. % +%The first +%(see section~\ref{sec:diffamp}) Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used to create a differencing amplifier. -Re-use of the potential divider model is discussed in the context of this circuit, where its re-use is appropriate in the first stage and +Re-use of the potential divider model is discussed in the context of this circuit, +where its re-use is appropriate in the first stage and not in the second. % -Section~\ref{sec:fivepolelp} analyes a sallen-key based five pole low pass filter. -This demonstrates FMMD being able to re-use the first Salen-Key encountered as a {\dc}, thus +Section~\ref{sec:fivepolelp} analyses a Sallen-Key based five pole low pass filter. +This demonstrates FMMD being able to re-use the first Sallen-Key encountered as a {\dc}, thus saving time and effort for the analyst. % -Section~\ref{sec:bubba} shows FMMD tackling a circuit with a circular signal path---the `Bubba' oscillator---which uses +Section~\ref{sec:bubba} shows FMMD applied to a circular circuit topology---the `Bubba' oscillator---which uses four op-amp stages with supporting components. % Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta analogue to digital converter---which operates on both analogue and digital signals. % -Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical -failure mode classification % analysis for top level events traced back to {\bc} failure modes -and the analysis of double simultaneous failure modes. +% Moving Pt100 to metrics +%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical +%failure mode classification % analysis for top level events traced back to {\bc} failure modes +%and the analysis of double simultaneous failure modes. % Finally section~\ref{sec:elecsw} demonstrates FMMD analysis of a combined electronic and software system. @@ -109,7 +115,7 @@ Finally section~\ref{sec:elecsw} demonstrates FMMD analysis of a combined electr \section{Determining the failure modes of components} \label{sec:determine_fms} -In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which +In order to apply any form of FMEA we need to know the ways in which the components we are using can fail. % A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. @@ -120,18 +126,18 @@ environmental ranges, tolerances and can indicate how a component may fail/misbe under given conditions. % How base components could fail internally, is not of interest to an FMEA investigation. -The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its -modes of failure. - +The FMEA investigator needs to know what failure behaviour a component may exhibit. %, or in other words, its modes of failure. +% A large body of literature exists which gives guidance for determining component {\fms}. % For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined. %Some standards prescribe specific failure modes for generic component types. -In EN298 failure modes for generic component types are prescribed, or -determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted -are examined. +In EN298 failure modes for most generic component types are listed, or if not listed, +determined by considering all pins OPEN and all adjacent pins shorted. +%a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +%are examined. % - +% FMD-91 is a reference document released into the public domain by the United States DOD and describes `failures' of common electronic components, with percentage statistics for each failure. % @@ -196,12 +202,15 @@ For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following fai \item Shorted 3.9\% \item Lead damage 1.9\% \end{itemize} -This information may be of interest to the manufacturer of resistors, but it does not directly -help a circuit designer. -The circuit designer is not interested in the causes of resistor failure, but to build in contingency -against {\fms} that the resistor could exhibit. -We can determine these {\fms} by converting the internal failure descriptions -to {\fms} thus: +% This information may be of interest to the manufacturer of resistors, but it does not directly +% help a circuit designer. +% The circuit designer is not interested in the causes of resistor failure, but to build in contingency +% against {\fms} that the resistor could exhibit. +% We can determine these {\fms} by converting the internal failure descriptions +% to {\fms} thus: +To make this useful for FMEA/FMMD we must assign each failure cause to an arbitrary failure mode descriptor +as shown below. +% %and map these failure causes to three symptoms, %drift (resistance value changing), open and short. @@ -217,8 +226,9 @@ The main causes of drift are overloading of components. This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure modes do not include drift. % -If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change) -can be reasonably excluded. +If we can ensure that our resistors will not be exposed to overload conditions, the +probability of drift (sometimes called parameter change) occurring +is significantly reduced, enough for some standards to exclude it~\cite{en298}. \paragraph{Resistor failure modes according to EN298.} @@ -235,7 +245,8 @@ For resistor types not specifically listed in EN298, the failure modes are considered to be either OPEN or SHORT. The reason that parameter change is not considered for resistors chosen for an EN298 compliant system, is that they must be must be {\em downrated}. That is to say the power and voltage ratings of components must be calculated -for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded, +for maximum possible exposure, with a 40\% margin of error. This reduces the probability +that the resistors will be overloaded, and thus subject to drift/parameter change. % XXXXXX get ref from colin T @@ -544,120 +555,121 @@ component {\fms} in FMEA or FMMD and require interpretation. % % % -% % \section{Example Analysis: Non-Inverting OPAMP} -% % Consider a non inverting op-amp designed to amplify -% % a small positive voltage (typical use would be a thermocouple amplifier -% % taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts). -% % -% % -% % \begin{figure}[h+] -% % \centering -% % \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png} -% % % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 -% % \label{fig:mvampcircuit} -% % \caption{positive mV amplifier circuit} -% % \end{figure} -% % -% % We can begin by looking for functional groups. -% % The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider. -% % So we can examine $\{ R1, R2 \}$ as a {\fg}. -% % -% % -% % \subsection{The Resistor in terms of failure modes} -% % -% % We can now determine how the resistors can fail. -% % We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}). -% % %, i.e. -% % %$ fm(R) = \{ OPEN, SHORT \} . $ -% % -% % We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$. -% % -% % -% % We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider. -% % We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}). -% % -% % -% % \subsection{Analysing a potential divider in terms of failure modes} +% \section{Example Analysis: Non-Inverting OPAMP} +% \label{sec:noninvamp} +% Consider a non inverting op-amp designed to amplify +% a small positive voltage (typical use would be a thermocouple amplifier +% taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts). +% +% +% \begin{figure}[h+] +% \centering +% \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png} +% % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143 +% \label{fig:mvampcircuit} +% \caption{positive mV amplifier circuit} +% \end{figure} +% +% We can begin by looking for functional groups. +% The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider. +% So we can examine $\{ R1, R2 \}$ as a {\fg}. +% +% +% \subsection{The Resistor in terms of failure modes} +% +% We can now determine how the resistors can fail. +% We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}). +% %, i.e. +% %$ fm(R) = \{ OPEN, SHORT \} . $ +% +% We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$. +% +% +% We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider. +% We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}). +% +% +% \subsection{Analysing a potential divider in terms of failure modes} +% +% +% \label{potdivfmmd} +% +% +% +% \begin{figure}[h+] +% \centering +% \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png} +% % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 +% \label{fig:pdcircuit} +% \caption{Potential Divider Circuit} +% \end{figure} +% +% +% \begin{table}[h+] +% \caption{Potential Divider: Single failure analysis} +% \begin{tabular}{|| l | l | c | c | l ||} \hline +% \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ +% \hline +% FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ +% FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline +% FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ +% FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline +% \hline +% \end{tabular} +% \label{tbl:pd} +% \end{table} +% +% We can now create a {\dc} for the potential divider, $PD$. +% +% $$ fm(PD) = \{ PDLow, PDHigh \}$$ +% +% %Let us now consider the op-amp. According to +% %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: +% %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). +% +% +% \subsection{Analysing the non-inverting amplifier in terms of failure modes} +% +% From section~\ref{sec:opamp_fms} +% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ +% +% +% We can now form a {\fg} with $PD$ and $OPAMP$. +% +% \begin{figure} +% \centering +% \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png} +% % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369 +% \label{fig:invampanalysis} +% \end{figure} +% +% +% +% +% \begin{table}[h+] +% \caption{NIAMP: Single failure analysis} +% \begin{tabular}{|| l | l | c | c | l ||} \hline +% \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\ +% \hline +% FS1: PD HIGH & & $LOW$ & & $Low$ \\ +% FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline +% FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\ +% FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\ +% FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\ +% FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline +% +% \hline +% \end{tabular} +% \label{tbl:pd} +% \end{table} +% +% We can collect symptoms from the analysis and create a derived component +% to represent the non-inverting amplifier $NI\_AMP$. +% We can now express the failure mode behaviour of this type of amplifier thus: +% +% $$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$ +% % -% % -% % \label{potdivfmmd} -% % -% % -% % -% % \begin{figure}[h+] -% % \centering -% % \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png} -% % % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241 -% % \label{fig:pdcircuit} -% % \caption{Potential Divider Circuit} -% % \end{figure} -% % -% % -% % \begin{table}[h+] -% % \caption{Potential Divider: Single failure analysis} -% % \begin{tabular}{|| l | l | c | c | l ||} \hline -% % \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\ -% % \hline -% % FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\ -% % FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline -% % FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\ -% % FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline -% % \hline -% % \end{tabular} -% % \label{tbl:pd} -% % \end{table} -% % -% % We can now create a {\dc} for the potential divider, $PD$. -% % -% % $$ fm(PD) = \{ PDLow, PDHigh \}$$ -% % -% % %Let us now consider the op-amp. According to -% % %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: -% % %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). -% % -% % -% % \subsection{Analysing the non-inverting amplifier in terms of failure modes} -% % -% % From section~\ref{sec:opamp_fms} -% % $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ -% % -% % -% % We can now form a {\fg} with $PD$ and $OPAMP$. -% % -% % \begin{figure} -% % \centering -% % \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png} -% % % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369 -% % \label{fig:invampanalysis} -% % \end{figure} -% % -% % -% % -% % -% % \begin{table}[h+] -% % \caption{NIAMP: Single failure analysis} -% % \begin{tabular}{|| l | l | c | c | l ||} \hline -% % \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\ -% % \hline -% % FS1: PD HIGH & & $LOW$ & & $Low$ \\ -% % FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline -% % FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\ -% % FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\ -% % FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\ -% % FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline -% % -% % \hline -% % \end{tabular} -% % \label{tbl:pd} -% % \end{table} -% % -% % We can collect symptoms from the analysis and create a derived component -% % to represent the non-inverting amplifier $NI\_AMP$. -% % We can now express the failure mode behaviour of this type of amplifier thus: -% % -% % $$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$ -% % -% % \clearpage \section{Example Analysis: Inverting OPAMP} @@ -939,11 +951,14 @@ and from this we obtain a {\dc} (INVPD). We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD. The second analysis (3 components) has to look at the effects of each failure mode of each resistor -on the op-amp circuit. This means more work for the analyst---or in other words an increase in the complexity of the analysis---than +on the op-amp circuit. This means more work for the analyst---that is +an increase in the complexity of the analysis---than simply comparing the two known failure modes -from the pre-analysed inverted potential divider. The complexity comparison figures -bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ -and for the second analysis a CC of $8.(3-2)=16$. +from the pre-analysed inverted potential divider. + +% METRICS The complexity comparison figures +% METRICS bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ +% METRICS and for the second analysis a CC of $8.(3-2)=16$. % CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012 @@ -1544,16 +1559,17 @@ This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37]. The circuit implements an oscillator using four 45 degree phase shifts, and an inverting amplifier to provide gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift). -From a fault finding perspective this circuit is less than ideal. +From a fault finding perspective this circuit cannot be de-composed because the whole circuit is enclosed within a feedback loop. +However, this is not a problem for FMMD, as {\fgs} are readily identifiable. The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating. %The top level failure modes for the FMMD hierarchy bear this out. %However, FMMD is a bottom -up analysis methodology and we can therefore still identify %{\fgs} and apply analysis from a failure mode perspective. % -If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with -($4.4 +10.2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$. -We now create FMMD models and compare the complexity of FMMD and FMEA. - +% METRICS If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with +% METRICS ($4.4 +10 \times 2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$. +% METRICS We now create FMMD models and compare the complexity of FMMD and FMEA. +% We start the FMMD process by determining {\fgs}. We initially identify three types of functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}), a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer @@ -1564,7 +1580,7 @@ We can use these {\fgs} to describe the circuit in block diagram form with arrow \centering \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png} % bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295 - \caption{Circuit 3: Functional Group Block Diagram.} + \caption{Circuit 3: Electrical signal path block diagram of the `Bubba' oscillator, showing the circular circuit topology.} \label{fig:bubbablock} \end{figure} @@ -1575,9 +1591,9 @@ determine {\dcs}. This has been analysed in section~\ref{sec:invamp}. The inverting amplifier, as a {\dc}, has the following failure modes: -$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$ +$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \}. $$ -and has a CC of 10. +% METRICS and has a CC of 10. \subsection{Phase shifter: PHS45} @@ -2385,933 +2401,6 @@ We now show the final hierarchy in figure~\ref{fig:sdadc}. %T%he block diagram in figure~\ref{fig -\clearpage -\section{Pt100 Analysis: Double failures and MTTF statistics} -\label{sec:Pt100} -{ -This section -% shows a practical example of -% one `symptom~abstraction' stage in the FMMD process. -% We take a functional group of base components, -% and using their failure modes, analyse the circuit -% to find failure symptoms. -% These failure symptoms are used to define -% a derived component. -% -demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows -how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms. - - -For this example we look at an industry standard temperature measurement circuit, -the Pt100. -The circuit is described and then analysed using the FMMD methodology. - - -%A derived component, representing this circuit is then presented. - - -The Pt100, or platinum wire \ohms{100} sensor is -a widely used industrial temperature sensor that is -slowly replacing the use of thermocouples in many -industrial applications below 600\oc, due to high accuracy\cite{aoe}. - -This section looks at the most common configuration, the -four wire circuit, and analyses it from an FMEA perspective twice. -Once considering single faults (cardinality constrained powerset of 1) and then again, considering the -possibility of double faults (cardinality constrained powerset of 2). - -\ifthenelse {\boolean{pld}} -{ -The section is performed using Propositional Logic -diagrams to assist the reasoning process. -} -{ -} - -This chapter describes taking -the failure modes of the components, analysing the circuit using FMEA -and producing a failure mode model for the circuit as a whole. -Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed -from an FMEA perspective as a component itself, with a set of known failure modes. -} - -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} - % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 - \caption{Pt100 four wire circuit} - \label{fig:Pt100} -\end{figure} - - -\subsection{General Description of Pt100 four wire circuit} - -The Pt100 four wire circuit uses two wires to supply a small electrical current, -and returns two sense voltages by the other two. -By measuring voltages -from sections of this circuit forming potential dividers, we can determine the -resistance of the platinum wire sensor. The resistance -of this is directly related to temperature, and may be determined by -look-up tables or a suitable polynomial expression. - - -\begin{figure}[h] - \centering - \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} - % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 - \caption{Pt100 expected voltage ranges} - \label{fig:Pt100vrange} -\end{figure} - - -The voltage ranges we expect from this three stage potential divider\footnote{ -two stages are required for validation, a third stage is used to measure the current flowing -through the circuit to obtain accurate temperature readings} -are shown in figure \ref{fig:Pt100vrange}. Note that there is -an expected range for each reading, for a given temperature span. -Note that the low reading goes down as temperature increases, and the higher reading goes up. -For this reason the low reading will be referred to as {\em sense-} -and the higher as {\em sense+}. - -\paragraph{Accuracy despite variable resistance in cables} - -For electronic and accuracy reasons, a four wire circuit is preferred -because of resistance in the cables. Resistance from the supply - causes a slight voltage -drop in the supply to the $Pt100$. As no significant current -is carried by the two `sense' lines, the resistance back to the ADC -causes only a negligible voltage drop, and thus the four wire -configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across -the thermistor only and not the voltage across the thermistor and current supply wire resistance.}. - -\paragraph{Calculating Temperature from the sense line voltages} - -The current flowing though the -whole circuit can be measured on the PCB by reading a third -sense voltage from one of the load resistors. Knowing the current flowing -through the circuit -and knowing the voltage drop over the $Pt100$, we can calculate its -resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. -Thus a little loss of supply current due to resistance in the cables -does not impinge on accuracy. -The resistance to temperature conversion is achieved -through the published $Pt100$ tables\cite{eurothermtables}. -The standard voltage divider equations (see figure \ref{fig:vd} and -equation \ref{eqn:vd}) can be used to calculate -expected voltages for failure mode and temperature reading purposes. - -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} - % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 - \caption{Voltage Divider} - \label{fig:vd} -\end{figure} -%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. - -\begin{equation} -\label{eqn:vd} - V_{out} = V_{in}.\frac{Z2}{Z2+Z1} -\end{equation} - -\subsection{Safety case for 4 wire circuit} - -This sub-section looks at the behaviour of the $Pt100$ four wire circuit -for the effects of component failures. -All components have a set of known `failure modes'. -In other words we know that a given component can fail in several distinct ways. -Studies have been published which list common component types -and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. -Thus for each component, an analysis is made for each of its failure modes, -with respect to its effect on the -circuit. Each one of these scenarios is termed a `test case'. -The resultant circuit behaviour for each of these test cases is noted. -The worst case for this type of -analysis would be a fault that we cannot detect. -Where this occurs a circuit re-design is probably the only sensible course of action. - -\fmodegloss - -\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.} - -\label{fmea} -The Pt00 circuit consists of three resistors, two `current~supply' -wires and two `sensor' wires. -Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A] -, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, -%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. -%Should wires become disconnected these will have the same effect as -%given resistors going open. -For the purpose of this analyis; -$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, -$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground. - -We can define the terms `High Fault' and `Low Fault' here, with reference to figure -\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone -in the diagram, we consider this a fault. -Should the reading be above its expected range, this is a `High Fault' -and if below a `Low Fault'. - -Table \ref{ptfmea} plays through the scenarios of each of the resistors failing -in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. -The range {0\oc} to {300\oc} will be analysed using potential divider equations to -determine out of range voltage limits in section~\ref{sec:ptbounds}. - -\begin{table}[ht] -\caption{Pt100 FMEA Single Faults} % title of Table -\centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} -\hline \hline - \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ - \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ -% R & wire & res + & res - & description -\hline -\hline - $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline -$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline - \hline -$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline - $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline -\hline -$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ - $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline -\hline -\end{tabular} -\label{ptfmea} -\end{table} - -From table \ref{ptfmea} it can be seen that any component failure in the circuit -should cause a common symptom, that of one or more of the values being `out of range'. -Temperature range calculations and detailed calculations -on the effects of each test case are found in section \ref{Pt100range} -and \ref{Pt100temp}. - -%\paragraph{Consideration of Resistor Tolerance} -% -%The separate sense lines ensure the voltage read over the Pt100 thermistor are not -%altered due to having to pass any significant current. -%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. -%One or other of the load resistors (the one we measure current over) should also -%be of this accuracy. -% -%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient -%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to -%a narrow temperature range anyway, being mounted on a PCB. -%\glossary{{PCB}{Printed Circuit Board}} -%To calculate the resistance of the Pt100 element % (and thus derive its temperature), -%having the voltage over it, we now need the current. -%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. -%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). -%We can calculate the current by reading -%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, -%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} -%As these calculations are performed by ohms law, which is linear, the accuracy of the reading -%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to -%take the mean square error of these accuracy figures. - -\paragraph{Range and $Pt100$ Calculations} -\label{Pt100temp} -$Pt100$ resistors are designed to -have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. -A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} -for a given application. -According to the Eurotherm Pt100 -tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} -and \ohms{212.02} respectively. From this the potential divider circuit can be -analysed and the maximum and minimum acceptable voltages determined. -These can be used as bounds results to apply the findings from the -Pt100 FMEA analysis in section \ref{fmea}. - -As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, -the upper and lower readings can be calculated thus: - - -$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ -$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$ -So by defining an acceptable measurement/temperature range, -and ensuring the -values are always within these bounds, we can be confident that none of the -resistors in this circuit has failed. - -To convert these to twelve bit ADC (\adctw) counts: - -$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ -$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$ - - -\begin{table}[ht] -\caption{Pt100 Maximum and Minimum Values} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|c|l|l||} -\hline \hline - \textbf{Temperature} & \textbf{Pt100 resistance} & -\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ -\hline -% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ -% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline - {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ - & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline - {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ - & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline -\hline -\end{tabular} -\label{ptbounds} -\end{table} - -Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that -for any single error (short or opening of any resistor) this bounds check -will detect it. - - - -\paragraph{Consideration of Resistor Tolerance.} -% -\label{sec:ptbounds} -The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not -altered by having to pass any significant current. The current is supplied -by separate wires and the resistance in those are effectively cancelled -out by considering the voltage reading over $R_3$ to be relative. -% -The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. -One or other of the load resistors (the one over which we measure current) should also -be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an -accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. -% -The \ohms{2k2} loading resistors should have a good temperature co-effecient -(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). -% -To calculate the resistance of the Pt100 element % (and thus derive its temperature), -knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. -% -Lets use, for the sake of example $R_2$ to measure the current. -% -We can calculate the current $I$, by reading -the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, -and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate -the resistance of $R_3$. -% -As ohms law is linear, the accuracy of the reading -will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to -take the mean square error of these accuracy figures~\cite{easp}. - - -\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} - - -\ifthenelse{\boolean{pld}} -{ -\paragraph{Single Fault Modes as PLD} - -The component~failure~modes in table \ref{ptfmea} can be represented as contours -on a PLD diagram. -Each test case, is defined by the contours that enclose -it. The test cases here deal with single faults only -and are thus enclosed by one contour each. -\fmodegloss -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png} - % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 - \caption{Pt100 Component Failure Modes} - \label{fig:Pt100_tc} -\end{figure} -} % \ifthenelse {\boolean{pld}} - -%ating input Fault -This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. -To establish the valid voltage ranges for these, and knowing our -valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate -valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} -for the circuit shown in figure \ref{fig:vd}. - - - - -\paragraph{Proof of Out of Range Values for Failures} -\label{pt110range} -Using the temperature ranges defined above we can compare the voltages -we would get from the resistor failures to prove that they are -`out of range'. There are six test cases and each will be examined in turn. - -\subparagraph{ TC 1 : Voltages $R_1$ SHORT } -With Pt100 at 0\oc -$$ highreading = 5V $$ -Since the highreading or sense+ is directly connected to the 5V rail, -both temperature readings will be 5V.. -$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ -With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V $$ -$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ - -Thus with $R_1$ shorted both readings are outside the -proscribed range in table \ref{ptbounds}. - -\paragraph{ TC 2 : Voltages $R_1$ OPEN } - -In this case the 5V rail is disconnected. All voltages read are 0V, and -therefore both readings are outside the -proscribed range in table \ref{ptbounds}. - - -\paragraph{ TC 3 : Voltages $R_2$ SHORT } - -With Pt100 at 0\oc -$$ lowreading = 0V $$ -Since the lowreading or sense- is directly connected to the 0V rail, -both temperature readings will be 0V. -$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ -With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ - -Thus with $R_2$ shorted both readings are outside the -proscribed range in table \ref{ptbounds}. - -\paragraph{ TC 4 : Voltages $R_2$ OPEN } -Here there is no potential divider operating and both sense lines -will read 5V, outside of the proscribed range. - - -\paragraph{ TC 5 : Voltages $R_3$ SHORT } - -Here the potential divider is simply between -the two 2k2 load resistors. Thus it will read a nominal; -2.5V. - -Assuming the load resistors are -precision components, and then taking an absolute worst case of 1\% either way. - -$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ - -$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ - -These readings both lie outside the proscribed range. -Also the sense+ and sense- readings would have the same value. - -\paragraph{ TC 6 : Voltages $R_3$ OPEN } - -Here the potential divider is broken. The sense- will read 0V and the sense+ will -read 5V. Both readings are outside the proscribed range. - -\subsection{Summary of Analysis} - -All six test cases have been analysed and the results agree with the hypothesis -put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the -symptoms. In this case there is a common and easily detected symptom for all these single -resistor faults : Voltage out of range. - -A spider can be drawn on the PLD diagram to this effect. - -In practical use, by defining an acceptable measurement/temperature range, -and ensuring the -values are always within these bounds, we can be confident that none of the -resistors in this circuit has failed. - -\ifthenelse{\boolean{pld}} -{ -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png} - % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 - \caption{Pt100 Component Failure Modes} - \label{fig:Pt100_tc_sp} -\end{figure} -} - - -\subsection{Derived Component : The Pt100 Circuit} -The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, -{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a -fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$ -has been developed for safety critical temperature measurement. -% -\ifthenelse{\boolean{pld}} -{ -It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}. - -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png} - % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 - \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis} - \label{fig:Pt100_singlef} -\end{figure} -} - -%From the single faults (cardinality constrained powerset of 1) analysis, we can now create -%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \} -%as its single failure mode. - - -%Interestingly we can calculate the failure statistics for this circuit now. -%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ??? -%\clearpage -\subsection{Mean Time to Failure} - -Now that we have a model for the failure mode behaviour of the Pt100 circuit -we can look at the statistics associated with each of the failure modes. - -The DOD electronic reliability of components -document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating -the -%$\frac{failures}{{10}^6}$ -${failures}/{{10}^6}$ % looks better -in hours for a wide range of generic components -\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F -can give conservative reliability figures when applied to -modern components}. -% -Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor -failure statistics, we calculate the reliability of this circuit. - - -\paragraph{Resistor FIT Calculations} - -The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor -is reproduced in equation \ref{resistorfit}. The meanings -and values assigned to its co-efficients are described in table \ref{tab:resistor}. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} - - -\fmodegloss - -\begin{equation} -% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E -resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E - \label{resistorfit} -\end{equation} - -\begin{table}[ht] -\caption{Fixed film resistor Failure in time assessment} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|l||} -\hline \hline - \em{Parameter} & \em{Value} & \em{Comments} \\ - & & \\ \hline \hline - ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline - %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline - ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline - ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline - ${\pi}_E$ & 1.0 & benign ground environment\\ \hline - -\hline \hline -\end{tabular} -\label{tab:resistor} -\end{table} - -Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} -give the following failures in ${10}^6$ hours: - -\begin{equation} - 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} - \label{eqn:resistor} -\end{equation} - -While MIL-HDBK-217F gives MTTF for a wide range of common components, -it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. -%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. -% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 -This example -compromises and uses a 90:10 ratio, for resistor failure. -Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED -in the other 10\%. -A standard fixed film resistor, for use in a benign environment, non military spec at -temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) -hours of operation (see equation \ref{eqn:resistor}). -This figure is referred to as a FIT\footnote{FIT values are measured as the number of -failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the -FIT number the more reliable the fault~mode} Failure in time. - -The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in -equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. - -\begin{equation} -% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E -resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E - \label{thermistorfit} -\end{equation} - -\begin{table}[ht] -\caption{Bead type Thermistor Failure in time assessment} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|l||} -\hline \hline - \em{Parameter} & \em{Value} & \em{Comments} \\ - & & \\ \hline \hline - ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline - %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline - %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline - ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline - ${\pi}_E$ & 1.0 & benign ground environment\\ \hline - -\hline \hline -\end{tabular} -\label{tab:thermistor} -\end{table} - - -\begin{equation} - 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} - \label{eqn:thermistor} -\end{equation} - - -Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0 - -Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), -showing the FIT values for all faults considered. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} - - - - -\begin{table}[h+] -\caption{Pt100 FMEA Single // Fault Statistics} % title of Table -\centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} -\hline \hline - \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ - \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ -% R & wire & res + & res - & description -\hline -\hline -TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline -TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline - \hline -TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline -TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline -\hline -TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ -TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline -\hline -\end{tabular} -\label{tab:stat_single} -\end{table} - -The FIT for the circuit as a whole is the sum of MTTF values for all the -test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of -about 360 years per circuit. - -A probabilistic tree can now be drawn, with a FIT value for the Pt100 -circuit and FIT values for all the component fault modes from which it was calculated. -We can see from this that the most likely fault is the thermistor going OPEN. -This circuit is around 10 times more likely to fail in this way than in any other. -Were we to need a more reliable temperature sensor, this would probably -be the fault~mode we would scrutinise first. - - -\begin{figure}[h+] - \centering - \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} - % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 - \caption{Probablistic Fault Tree : Pt100 Single Faults} - \label{fig:stat_single} -\end{figure} - - -The Pt100 analysis presents a simple result for single faults. -The next analysis phase looks at how the circuit will behave under double simultaneous failure -conditions. - -%\clearpage -\section{ Pt100 Double Simultaneous Fault Analysis} -\label{sec:Pt100d} -In this section we examine the failure mode behaviour for all single -faults and double simultaneous faults. -This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of -the failure modes in the functional group. -All the single faults have already been proved in the last section. -For the next set of test cases, let us again hypothesise -the failure modes, and then examine each one in detail with -potential divider equation proofs. - -Table \ref{tab:ptfmea2} lists all the combinations of double -faults and then hypothesises how the functional~group will react -under those conditions. - -\begin{table}[ht] -\caption{Pt100 FMEA Double Faults} % title of Table -\centering % used for centering table -\begin{tabular}{||l|l|c|c|l|l||} -\hline \hline - \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ - \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ -% R & wire & res + & res - & description -\hline -\hline - TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline - TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline -\hline - TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline - TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline -\hline - - TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline -TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline -\hline - TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline -TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline - -\hline - TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline -TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline -TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline -TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline -\hline -\end{tabular} -\label{tab:ptfmea2} -\end{table} - -\subsection{Verifying complete coverage for a cardinality constrained powerset of 2} - -\fmodegloss - - -It is important to check that we have covered all possible double fault combinations. -We can use the equation \ref{eqn:correctedccps2} -\ifthenelse {\boolean{paper}} -{ -from the definitions paper -\ref{pap:compdef} -, -reproduced below to verify this. - -\indent{ - where: - \begin{itemize} - \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. - \item The indexed set $C_j$ represents all components in set $SU$. - \item The function $FM$ takes a component as an argument and returns its set of failure modes. - \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. - \end{itemize} -} -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } - \label{eqn:correctedccps2} -\end{equation} - -} -{ -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } - %\label{eqn:correctedccps2} -\end{equation} -} - - -$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. - -% -% Factorial of zero is one ! You can only arrange an empty set one way ! - -Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. -%is always 2 for this circuit, as all the components are resistors and have two failure modes. - -\begin{equation} - |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} -- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } - %\label{eqn:correctedccps2} -\end{equation} - -$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check -under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). - -Expanding the sumations - - -$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ - -$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ - -As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double) -we can be confident that we have looked at all `double combinations' of the possible faults -in the Pt100 circuit. The next task is to investigate -these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. - - -%\paragraph{Proof of Double Faults Hypothesis} - -\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } -\label{Pt100:bothfloating} -This double fault mode produces an interesting symptom. -Both sense lines are floating. -We cannot know what the {\adctw} readings on them will be. -% -In practise these would probably float to low values -but for the purpose of a safety critical analysis, -all we can say is that the values are `floating' and `unknown'. -This is an interesting case, because it is, at this stage an undetectable---or unobservable--- -fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{unobservability}. -%that must be handled. - - -\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } - -This cuts the supply from Vcc. Both sense lines will be at zero. -Thus both values will be out of range. - - -\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } - -Sense- will be floating. -Sense+ will be tied to Vcc and will thus be out of range. - -\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } - -This shorts ground to -both of the sense lines. -Both values will be out of range. - -\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } - -This shorts both sense lines to Vcc. -Both values will be out of range. - - -\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } - -This shorts the sense+ to Vcc and the sense- to ground. -Both values will be out of range. - - -\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } - -This shorts the sense+ to Vcc and the sense- to ground. -Both values will be out of range. - -\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. - -\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } - -This shorts the sense+ to Vcc and causes sense- to float. -The sense+ value will be out of range. - - -\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. - - - - - -\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } - -This shorts the sense- to Ground. -The sense- value will be out of range. - - -\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. - -%\clearpage - -\ifthenelse{\boolean{pld}} -{ -\subsection{Double Faults Represented on a PLD Diagram} - -We can show the test cases on a diagram with the double faults residing on regions -corresponding to overlapping contours see figure \ref{fig:plddouble}. -Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. - - -\begin{figure}[h] - \centering - \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} - % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 - \caption{Pt100 Double Simultaneous Faults} - \label{fig:plddouble} -\end{figure} - -We use equation \ref{eqn:correctedccps2} to verify complete coverage for -a given cardinality constraint is not visually obvious. -% -From the diagram it is easy to verify -the number of failure modes considered for each test case, but -not that all for a given cardinality constraint have been included. -} -{ -} - -\paragraph{Symptom Extraction} - -We can now examine the results of the test case analysis and apply symptom abstraction. -In all the test case results we have at least one out of range value, except for -$TC\_7$ -which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, -into the symptom $OUT\_OF\_RANGE$. -As a symptom $TC\_7$ could be described as $FLOATING$. - -\ifthenelse{\boolean{pld}} -{ -We can thus draw a PLD diagram representing the -failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures, -in figure \ref{fig:Pt100_doublef}. - -\begin{figure}[h] - \centering - \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} - % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 - \caption{Pt100 Double Simultaneous Faults} - \label{fig:plddoublesymptom} -\end{figure} -} %% \ifthenelse {\boolean{pld}} -{ -} - -%\clearpage -\subsection{Derived Component : The Pt100 Circuit} -The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, -{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. - -\ifthenelse{\boolean{pld}} -{ -It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}. -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png} - % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 - \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis} - \label{fig:Pt100_doublef} -\end{figure} -} % \ifthenelse {\boolean{pld}} -{ -} - - -\subsection{Statistics} - -%% -%% Need to talk abou the `detection time' -%% or `Safety Relevant Validation Time' ref can book -%% EN61508 gives detection calculations to reduce -%% statistical impacts of failures. -%% - -If we consider the failure modes to be statistically independent we can calculate -the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition -requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF -together and find an MTTF for both failing. The FIT value of 12.42 corresponds to -$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. -This is an astronomically small MTTF, and so small that it would -probably fall below a threshold to sensibly consider. -However, it is very interesting from a failure analysis perspective, -because here we have found a fault that we cannot detect at this -level. This means that should we wish to cope with -this fault, we need to devise a way of detecting this -condition in higher levels of the system. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} - - \section{Applying FMMD to Software} diff --git a/submission_thesis/CH6_Evaluation/copy.tex b/submission_thesis/CH6_Evaluation/copy.tex index 2149b6c..7a9f093 100644 --- a/submission_thesis/CH6_Evaluation/copy.tex +++ b/submission_thesis/CH6_Evaluation/copy.tex @@ -1,5 +1,16 @@ \section*{Metrics} + + +% +% Moving Pt100 to metrics +%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical +%failure mode classification % analysis for top level events traced back to {\bc} failure modes +%and the analysis of double simultaneous failure modes. +% + + + \section{Defining the concept of `comparison~complexity' in FMEA} \label{sec:cc} % @@ -247,10 +258,947 @@ $$ % \subsection{Exponential squared to Exponential} % % can I say that ? +\clearpage +\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics} +\label{sec:Pt100} +{ +This section +% shows a practical example of +% one `symptom~abstraction' stage in the FMMD process. +% We take a functional group of base components, +% and using their failure modes, analyse the circuit +% to find failure symptoms. +% These failure symptoms are used to define +% a derived component. +% +demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows +how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms. -\section{Problems in choosing membership of functional groups} -\subsection{Side Effects: A Problem for FMMD analysis} +For this example we look at an industry standard temperature measurement circuit, +the Pt100. +The circuit is described and then analysed using the FMMD methodology. + + +%A derived component, representing this circuit is then presented. + + +The Pt100, or platinum wire \ohms{100} sensor is +a widely used industrial temperature sensor that is +slowly replacing the use of thermocouples in many +industrial applications below 600\oc, due to high accuracy\cite{aoe}. + +This section looks at the most common configuration, the +four wire circuit, and analyses it from an FMEA perspective twice. +Once considering single faults (cardinality constrained powerset of 1) and then again, considering the +possibility of double faults (cardinality constrained powerset of 2). + +\ifthenelse {\boolean{pld}} +{ +The section is performed using Propositional Logic +diagrams to assist the reasoning process. +} +{ +} + +This chapter describes taking +the failure modes of the components, analysing the circuit using FMEA +and producing a failure mode model for the circuit as a whole. +Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed +from an FMEA perspective as a component itself, with a set of known failure modes. +} + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} + % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{Pt100 four wire circuit} + \label{fig:Pt100} +\end{figure} + + +\subsection{General Description of Pt100 four wire circuit} + +The Pt100 four wire circuit uses two wires to supply a small electrical current, +and returns two sense voltages by the other two. +By measuring voltages +from sections of this circuit forming potential dividers, we can determine the +resistance of the platinum wire sensor. The resistance +of this is directly related to temperature, and may be determined by +look-up tables or a suitable polynomial expression. + + +\begin{figure}[h] + \centering + \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} + % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{Pt100 expected voltage ranges} + \label{fig:Pt100vrange} +\end{figure} + + +The voltage ranges we expect from this three stage potential divider\footnote{ +two stages are required for validation, a third stage is used to measure the current flowing +through the circuit to obtain accurate temperature readings} +are shown in figure \ref{fig:Pt100vrange}. Note that there is +an expected range for each reading, for a given temperature span. +Note that the low reading goes down as temperature increases, and the higher reading goes up. +For this reason the low reading will be referred to as {\em sense-} +and the higher as {\em sense+}. + +\paragraph{Accuracy despite variable resistance in cables} + +For electronic and accuracy reasons, a four wire circuit is preferred +because of resistance in the cables. Resistance from the supply + causes a slight voltage +drop in the supply to the $Pt100$. As no significant current +is carried by the two `sense' lines, the resistance back to the ADC +causes only a negligible voltage drop, and thus the four wire +configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across +the thermistor only and not the voltage across the thermistor and current supply wire resistance.}. + +\paragraph{Calculating Temperature from the sense line voltages} + +The current flowing though the +whole circuit can be measured on the PCB by reading a third +sense voltage from one of the load resistors. Knowing the current flowing +through the circuit +and knowing the voltage drop over the $Pt100$, we can calculate its +resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. +Thus a little loss of supply current due to resistance in the cables +does not impinge on accuracy. +The resistance to temperature conversion is achieved +through the published $Pt100$ tables\cite{eurothermtables}. +The standard voltage divider equations (see figure \ref{fig:vd} and +equation \ref{eqn:vd}) can be used to calculate +expected voltages for failure mode and temperature reading purposes. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} + % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 + \caption{Voltage Divider} + \label{fig:vd} +\end{figure} +%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. + +\begin{equation} +\label{eqn:vd} + V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +\end{equation} + +\subsection{Safety case for 4 wire circuit} + +This sub-section looks at the behaviour of the $Pt100$ four wire circuit +for the effects of component failures. +All components have a set of known `failure modes'. +In other words we know that a given component can fail in several distinct ways. +Studies have been published which list common component types +and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. +Thus for each component, an analysis is made for each of its failure modes, +with respect to its effect on the +circuit. Each one of these scenarios is termed a `test case'. +The resultant circuit behaviour for each of these test cases is noted. +The worst case for this type of +analysis would be a fault that we cannot detect. +Where this occurs a circuit re-design is probably the only sensible course of action. + +\fmodegloss + +\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.} + +\label{fmea} +The Pt00 circuit consists of three resistors, two `current~supply' +wires and two `sensor' wires. +Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A] +, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, +%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. +%Should wires become disconnected these will have the same effect as +%given resistors going open. +For the purpose of this analyis; +$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, +$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground. + +We can define the terms `High Fault' and `Low Fault' here, with reference to figure +\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone +in the diagram, we consider this a fault. +Should the reading be above its expected range, this is a `High Fault' +and if below a `Low Fault'. + +Table \ref{ptfmea} plays through the scenarios of each of the resistors failing +in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. +The range {0\oc} to {300\oc} will be analysed using potential divider equations to +determine out of range voltage limits in section~\ref{sec:ptbounds}. + +\begin{table}[ht] +\caption{Pt100 FMEA Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline +$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline + \hline +$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline + $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline +\hline +$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ + $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline +\hline +\end{tabular} +\label{ptfmea} +\end{table} + +From table \ref{ptfmea} it can be seen that any component failure in the circuit +should cause a common symptom, that of one or more of the values being `out of range'. +Temperature range calculations and detailed calculations +on the effects of each test case are found in section \ref{Pt100range} +and \ref{Pt100temp}. + +%\paragraph{Consideration of Resistor Tolerance} +% +%The separate sense lines ensure the voltage read over the Pt100 thermistor are not +%altered due to having to pass any significant current. +%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +%One or other of the load resistors (the one we measure current over) should also +%be of this accuracy. +% +%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient +%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to +%a narrow temperature range anyway, being mounted on a PCB. +%\glossary{{PCB}{Printed Circuit Board}} +%To calculate the resistance of the Pt100 element % (and thus derive its temperature), +%having the voltage over it, we now need the current. +%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. +%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). +%We can calculate the current by reading +%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} +%As these calculations are performed by ohms law, which is linear, the accuracy of the reading +%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +%take the mean square error of these accuracy figures. + +\paragraph{Range and $Pt100$ Calculations} +\label{Pt100temp} +$Pt100$ resistors are designed to +have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. +A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} +for a given application. +According to the Eurotherm Pt100 +tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} +and \ohms{212.02} respectively. From this the potential divider circuit can be +analysed and the maximum and minimum acceptable voltages determined. +These can be used as bounds results to apply the findings from the +Pt100 FMEA analysis in section \ref{fmea}. + +As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, +the upper and lower readings can be calculated thus: + + +$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$ +So by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds, we can be confident that none of the +resistors in this circuit has failed. + +To convert these to twelve bit ADC (\adctw) counts: + +$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$ + + +\begin{table}[ht] +\caption{Pt100 Maximum and Minimum Values} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|c|l|l||} +\hline \hline + \textbf{Temperature} & \textbf{Pt100 resistance} & +\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ +\hline +% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ +% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline + {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ + & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline + {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ + & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline +\hline +\end{tabular} +\label{ptbounds} +\end{table} + +Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that +for any single error (short or opening of any resistor) this bounds check +will detect it. + + + +\paragraph{Consideration of Resistor Tolerance.} +% +\label{sec:ptbounds} +The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not +altered by having to pass any significant current. The current is supplied +by separate wires and the resistance in those are effectively cancelled +out by considering the voltage reading over $R_3$ to be relative. +% +The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +One or other of the load resistors (the one over which we measure current) should also +be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an +accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. +% +The \ohms{2k2} loading resistors should have a good temperature co-effecient +(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). +% +To calculate the resistance of the Pt100 element % (and thus derive its temperature), +knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. +% +Lets use, for the sake of example $R_2$ to measure the current. +% +We can calculate the current $I$, by reading +the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate +the resistance of $R_3$. +% +As ohms law is linear, the accuracy of the reading +will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +take the mean square error of these accuracy figures~\cite{easp}. + + +\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} + + +\ifthenelse{\boolean{pld}} +{ +\paragraph{Single Fault Modes as PLD} + +The component~failure~modes in table \ref{ptfmea} can be represented as contours +on a PLD diagram. +Each test case, is defined by the contours that enclose +it. The test cases here deal with single faults only +and are thus enclosed by one contour each. +\fmodegloss +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png} + % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{Pt100 Component Failure Modes} + \label{fig:Pt100_tc} +\end{figure} +} % \ifthenelse {\boolean{pld}} + +%ating input Fault +This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. +To establish the valid voltage ranges for these, and knowing our +valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate +valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} +for the circuit shown in figure \ref{fig:vd}. + + + + +\paragraph{Proof of Out of Range Values for Failures} +\label{pt110range} +Using the temperature ranges defined above we can compare the voltages +we would get from the resistor failures to prove that they are +`out of range'. There are six test cases and each will be examined in turn. + +\subparagraph{ TC 1 : Voltages $R_1$ SHORT } +With Pt100 at 0\oc +$$ highreading = 5V $$ +Since the highreading or sense+ is directly connected to the 5V rail, +both temperature readings will be 5V.. +$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ +With Pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V $$ +$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ + +Thus with $R_1$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\paragraph{ TC 2 : Voltages $R_1$ OPEN } + +In this case the 5V rail is disconnected. All voltages read are 0V, and +therefore both readings are outside the +proscribed range in table \ref{ptbounds}. + + +\paragraph{ TC 3 : Voltages $R_2$ SHORT } + +With Pt100 at 0\oc +$$ lowreading = 0V $$ +Since the lowreading or sense- is directly connected to the 0V rail, +both temperature readings will be 0V. +$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ +With Pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ + +Thus with $R_2$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\paragraph{ TC 4 : Voltages $R_2$ OPEN } +Here there is no potential divider operating and both sense lines +will read 5V, outside of the proscribed range. + + +\paragraph{ TC 5 : Voltages $R_3$ SHORT } + +Here the potential divider is simply between +the two 2k2 load resistors. Thus it will read a nominal; +2.5V. + +Assuming the load resistors are +precision components, and then taking an absolute worst case of 1\% either way. + +$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ + +$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ + +These readings both lie outside the proscribed range. +Also the sense+ and sense- readings would have the same value. + +\paragraph{ TC 6 : Voltages $R_3$ OPEN } + +Here the potential divider is broken. The sense- will read 0V and the sense+ will +read 5V. Both readings are outside the proscribed range. + +\subsection{Summary of Analysis} + +All six test cases have been analysed and the results agree with the hypothesis +put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the +symptoms. In this case there is a common and easily detected symptom for all these single +resistor faults : Voltage out of range. + +A spider can be drawn on the PLD diagram to this effect. + +In practical use, by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds, we can be confident that none of the +resistors in this circuit has failed. + +\ifthenelse{\boolean{pld}} +{ +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png} + % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{Pt100 Component Failure Modes} + \label{fig:Pt100_tc_sp} +\end{figure} +} + + +\subsection{Derived Component : The Pt100 Circuit} +The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, +{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a +fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$ +has been developed for safety critical temperature measurement. +% +\ifthenelse{\boolean{pld}} +{ +It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png} + % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis} + \label{fig:Pt100_singlef} +\end{figure} +} + +%From the single faults (cardinality constrained powerset of 1) analysis, we can now create +%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \} +%as its single failure mode. + + +%Interestingly we can calculate the failure statistics for this circuit now. +%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ??? +%\clearpage +\subsection{Mean Time to Failure} + +Now that we have a model for the failure mode behaviour of the Pt100 circuit +we can look at the statistics associated with each of the failure modes. + +The DOD electronic reliability of components +document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating +the +%$\frac{failures}{{10}^6}$ +${failures}/{{10}^6}$ % looks better +in hours for a wide range of generic components +\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F +can give conservative reliability figures when applied to +modern components}. +% +Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor +failure statistics, we calculate the reliability of this circuit. + + +\paragraph{Resistor FIT Calculations} + +The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor +is reproduced in equation \ref{resistorfit}. The meanings +and values assigned to its co-efficients are described in table \ref{tab:resistor}. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + +\fmodegloss + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E + \label{resistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Fixed film resistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:resistor} +\end{table} + +Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} +give the following failures in ${10}^6$ hours: + +\begin{equation} + 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} + \label{eqn:resistor} +\end{equation} + +While MIL-HDBK-217F gives MTTF for a wide range of common components, +it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. +%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. +% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 +This example +compromises and uses a 90:10 ratio, for resistor failure. +Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED +in the other 10\%. +A standard fixed film resistor, for use in a benign environment, non military spec at +temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) +hours of operation (see equation \ref{eqn:resistor}). +This figure is referred to as a FIT\footnote{FIT values are measured as the number of +failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the +FIT number the more reliable the fault~mode} Failure in time. + +The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in +equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E + \label{thermistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Bead type Thermistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:thermistor} +\end{table} + + +\begin{equation} + 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} + \label{eqn:thermistor} +\end{equation} + + +Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0 + +Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), +showing the FIT values for all faults considered. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\begin{table}[h+] +\caption{Pt100 FMEA Single // Fault Statistics} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ +% R & wire & res + & res - & description +\hline +\hline +TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline +TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline + \hline +TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline +TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline +\hline +TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ +TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline +\hline +\end{tabular} +\label{tab:stat_single} +\end{table} + +The FIT for the circuit as a whole is the sum of MTTF values for all the +test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of +about 360 years per circuit. + +A probabilistic tree can now be drawn, with a FIT value for the Pt100 +circuit and FIT values for all the component fault modes from which it was calculated. +We can see from this that the most likely fault is the thermistor going OPEN. +This circuit is around 10 times more likely to fail in this way than in any other. +Were we to need a more reliable temperature sensor, this would probably +be the fault~mode we would scrutinise first. + + +\begin{figure}[h+] + \centering + \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} + % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 + \caption{Probablistic Fault Tree : Pt100 Single Faults} + \label{fig:stat_single} +\end{figure} + + +The Pt100 analysis presents a simple result for single faults. +The next analysis phase looks at how the circuit will behave under double simultaneous failure +conditions. + + + + +\section{Double failure analysis} + +CITE PRICE MULTIPLE FAILURE PAPER. + +%\clearpage +\section{ Pt100 Double Simultaneous Fault Analysis} +\label{sec:Pt100d} +In this section we examine the failure mode behaviour for all single +faults and double simultaneous faults. +This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of +the failure modes in the functional group. +All the single faults have already been proved in the last section. +For the next set of test cases, let us again hypothesise +the failure modes, and then examine each one in detail with +potential divider equation proofs. + +Table \ref{tab:ptfmea2} lists all the combinations of double +faults and then hypothesises how the functional~group will react +under those conditions. + +\begin{table}[ht] +\caption{Pt100 FMEA Double Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|l|c|c|l|l||} +\hline \hline + \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline + TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline +\hline + TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline + TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline +\hline + + TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline +TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline +\hline + TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline + +\hline + TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline +TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline +TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline +\hline +\end{tabular} +\label{tab:ptfmea2} +\end{table} + +\subsection{Verifying complete coverage for a cardinality constrained powerset of 2} + +\fmodegloss + + +It is important to check that we have covered all possible double fault combinations. +We can use the equation \ref{eqn:correctedccps2} +\ifthenelse {\boolean{paper}} +{ +from the definitions paper +\ref{pap:compdef} +, +reproduced below to verify this. + +\indent{ + where: + \begin{itemize} + \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. + \item The indexed set $C_j$ represents all components in set $SU$. + \item The function $FM$ takes a component as an argument and returns its set of failure modes. + \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. + \end{itemize} +} +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + \label{eqn:correctedccps2} +\end{equation} + +} +{ +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + %\label{eqn:correctedccps2} +\end{equation} +} + + +$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. + +% +% Factorial of zero is one ! You can only arrange an empty set one way ! + +Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. +%is always 2 for this circuit, as all the components are resistors and have two failure modes. + +\begin{equation} + |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} +- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } + %\label{eqn:correctedccps2} +\end{equation} + +$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check +under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). + +Expanding the sumations + + +$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ + +$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ + +As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double) +we can be confident that we have looked at all `double combinations' of the possible faults +in the Pt100 circuit. The next task is to investigate +these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. + + +%\paragraph{Proof of Double Faults Hypothesis} + +\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } +\label{Pt100:bothfloating} +This double fault mode produces an interesting symptom. +Both sense lines are floating. +We cannot know what the {\adctw} readings on them will be. +% +In practise these would probably float to low values +but for the purpose of a safety critical analysis, +all we can say is that the values are `floating' and `unknown'. +This is an interesting case, because it is, at this stage an undetectable---or unobservable--- +fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{unobservability}. +%that must be handled. + + +\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } + +This cuts the supply from Vcc. Both sense lines will be at zero. +Thus both values will be out of range. + + +\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } + +Sense- will be floating. +Sense+ will be tied to Vcc and will thus be out of range. + +\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } + +This shorts ground to +both of the sense lines. +Both values will be out of range. + +\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } + +This shorts both sense lines to Vcc. +Both values will be out of range. + + +\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + + +\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + +\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } + +This shorts the sense+ to Vcc and causes sense- to float. +The sense+ value will be out of range. + + +\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + + + + + +\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } + +This shorts the sense- to Ground. +The sense- value will be out of range. + + +\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +%\clearpage + +\ifthenelse{\boolean{pld}} +{ +\subsection{Double Faults Represented on a PLD Diagram} + +We can show the test cases on a diagram with the double faults residing on regions +corresponding to overlapping contours see figure \ref{fig:plddouble}. +Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{Pt100 Double Simultaneous Faults} + \label{fig:plddouble} +\end{figure} + +We use equation \ref{eqn:correctedccps2} to verify complete coverage for +a given cardinality constraint is not visually obvious. +% +From the diagram it is easy to verify +the number of failure modes considered for each test case, but +not that all for a given cardinality constraint have been included. +} +{ +} + +\paragraph{Symptom Extraction} + +We can now examine the results of the test case analysis and apply symptom abstraction. +In all the test case results we have at least one out of range value, except for +$TC\_7$ +which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, +into the symptom $OUT\_OF\_RANGE$. +As a symptom $TC\_7$ could be described as $FLOATING$. + +\ifthenelse{\boolean{pld}} +{ +We can thus draw a PLD diagram representing the +failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures, +in figure \ref{fig:Pt100_doublef}. + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{Pt100 Double Simultaneous Faults} + \label{fig:plddoublesymptom} +\end{figure} +} %% \ifthenelse {\boolean{pld}} +{ +} + +%\clearpage +\subsection{Derived Component : The Pt100 Circuit} +The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, +{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. + +\ifthenelse{\boolean{pld}} +{ +It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}. +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png} + % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis} + \label{fig:Pt100_doublef} +\end{figure} +} % \ifthenelse {\boolean{pld}} +{ +} + + +\subsection{Statistics} + +%% +%% Need to talk abou the `detection time' +%% or `Safety Relevant Validation Time' ref can book +%% EN61508 gives detection calculations to reduce +%% statistical impacts of failures. +%% + +If we consider the failure modes to be statistically independent we can calculate +the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition +requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF +together and find an MTTF for both failing. The FIT value of 12.42 corresponds to +$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. +This is an astronomically small MTTF, and so small that it would +probably fall below a threshold to sensibly consider. +However, it is very interesting from a failure analysis perspective, +because here we have found a fault that we cannot detect at this +level. This means that should we wish to cope with +this fault, we need to devise a way of detecting this +condition in higher levels of the system. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} + + + + +\section{Critiques} + +\subsection{Problems in choosing membership of functional groups} + +\subsubsection{Side Effects: A Problem for FMMD analysis} A problem with modularising according to functionality is that we can have component failures that would intuitively be associated with one {\fg} that may cause unintended side effects in other {\fgs}. @@ -299,8 +1247,5 @@ It does uncover a weakness in the FMMD methodology though. It could be very easy to miss the side effect and include the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. -\section{Critiques} - - \section{Evaluation}