robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Started on Chapter 5

Browse Source
This commit is contained in:
Robin Clark 2012-09-08 21:41:34 +01:00
parent 86f86b316e
commit 7a3fb7549d
3 changed files with 1126 additions and 1088 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
submission_thesis/CH4_FMMD/copy.tex
View File

@ -972,7 +972,7 @@ represents the failure mode behaviour of the non-inverting amplifier.
% HTR 05SEP2012 \end{figure}
%
%
We can represent the analysis sstages of INVAMP as an Euler diagram,
We can represent the analysis stages of INVAMP as an Euler diagram,
showing the choice of de-composition of the system into {\fgs}.}
%where the curves
%define the components and {\dcs} used to form the INVAMP model, see figure~\ref{fig:eulerfmmd}.
@ -1507,13 +1507,14 @@ directly to system level failure. The reasoning given is typically one line
on a spreadsheet entry~\cite{sccs}[p.38]. % (if we are lucky!).
%
FMMD typically has several reasoning stages from {\dc} {\fms} to system level failure modes.
%
Thus, each possible cause for a system {\fm} will have a collection of analysis reports associated with it.
%
These collections of analysis reports will provide a cause and effect
story for each possible scenario that could cause the system level failure.
%
This increases the traceability---or documented paper trail---for the understanding of the
failure event causes.
This increases the traceability---or documented paper trail---for the understanding the
failure event causes and potentially for use in diagnostics.
%
We may now use the {\em INVAMP} {\dc} in even higher level {\fgs}.
@ -2139,3 +2140,6 @@ The abstraction level concept is formally defined in section~\ref{sec:abstractio
\section{Conclusion}
Tie into wish list at end of chapter 3.

1249
submission_thesis/CH5_Examples/copy.tex
View File

File diff suppressed because it is too large Load Diff

955
submission_thesis/CH6_Evaluation/copy.tex
View File

@ -1,5 +1,16 @@
\section*{Metrics}
%
% Moving Pt100 to metrics
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical
%failure mode classification % analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%
\section{Defining the concept of `comparison~complexity' in FMEA}
\label{sec:cc}
%
@ -247,10 +258,947 @@ $$
% \subsection{Exponential squared to Exponential}
%
% can I say that ?
\clearpage
\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics}
\label{sec:Pt100}
{
This section
% shows a practical example of
% one `symptom~abstraction' stage in the FMMD process.
% We take a functional group of base components,
% and using their failure modes, analyse the circuit
% to find failure symptoms.
% These failure symptoms are used to define
% a derived component.
%
demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows
how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.
\section{Problems in choosing membership of functional groups}
\subsection{Side Effects: A Problem for FMMD analysis}
For this example we look at an industry standard temperature measurement circuit,
the Pt100.
The circuit is described and then analysed using the FMMD methodology.
%A derived component, representing this circuit is then presented.
The Pt100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This section looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double faults (cardinality constrained powerset of 2).
\ifthenelse {\boolean{pld}}
{
The section is performed using Propositional Logic
diagrams to assist the reasoning process.
}
{
}
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
from an FMEA perspective as a component itself, with a set of known failure modes.
}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 four wire circuit}
\label{fig:Pt100}
\end{figure}
\subsection{General Description of Pt100 four wire circuit}
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
from sections of this circuit forming potential dividers, we can determine the
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges}
\label{fig:Pt100vrange}
\end{figure}
The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
causes a slight voltage
drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the $Pt100$, we can calculate its
resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the $Pt100$ four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types
and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}.
Thus for each component, an analysis is made for each of its failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\fmodegloss
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
\label{fmea}
The Pt00 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A]
, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram, we consider this a fault.
Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section~\ref{sec:ptbounds}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.
%\paragraph{Consideration of Resistor Tolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also
%be of this accuracy.
%
%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures.
\paragraph{Range and $Pt100$ Calculations}
\label{Pt100temp}
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm Pt100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
Pt100 FMEA analysis in section \ref{fmea}.
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
\begin{table}[ht]
\caption{Pt100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\paragraph{Consideration of Resistor Tolerance.}
%
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate
the resistance of $R_3$.
%
As ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{easp}.
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}
%ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subparagraph{ TC 1 : Voltages $R_1$ SHORT }
With Pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
With Pt100 at 0\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 4 : Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
\paragraph{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\paragraph{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
\ifthenelse{\boolean{pld}}
{
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc_sp}
\end{figure}
}
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:Pt100_singlef}
\end{figure}
}
%From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode.
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage
\subsection{Mean Time to Failure}
Now that we have a model for the failure mode behaviour of the Pt100 circuit
we can look at the statistics associated with each of the failure modes.
The DOD electronic reliability of components
document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating
the
%$\frac{failures}{{10}^6}$
${failures}/{{10}^6}$ % looks better
in hours for a wide range of generic components
\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F
can give conservative reliability figures when applied to
modern components}.
%
Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor
failure statistics, we calculate the reliability of this circuit.
\paragraph{Resistor FIT Calculations}
The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings
and values assigned to its co-efficients are described in table \ref{tab:resistor}.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\fmodegloss
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
\label{resistorfit}
\end{equation}
\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}
Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:
\begin{equation}
0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours}
\label{eqn:resistor}
\end{equation}
While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses.
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example
compromises and uses a 90:10 ratio, for resistor failure.
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}).
This figure is referred to as a FIT\footnote{FIT values are measured as the number of
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the
FIT number the more reliable the fault~mode} Failure in time.
The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in
equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}.
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
\label{thermistorfit}
\end{equation}
\begin{table}[ht]
\caption{Bead type Thermistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
%${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:thermistor}
\end{table}
\begin{equation}
0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours}
\label{eqn:thermistor}
\end{equation}
Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\begin{table}[h+]
\caption{Pt100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline
TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline
\hline
TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline
TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline
\hline
TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\
TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline
\hline
\end{tabular}
\label{tab:stat_single}
\end{table}
The FIT for the circuit as a whole is the sum of MTTF values for all the
test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of
about 360 years per circuit.
A probabilistic tree can now be drawn, with a FIT value for the Pt100
circuit and FIT values for all the component fault modes from which it was calculated.
We can see from this that the most likely fault is the thermistor going OPEN.
This circuit is around 10 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor, this would probably
be the fault~mode we would scrutinise first.
\begin{figure}[h+]
\centering
\includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png}
% stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327
\caption{Probablistic Fault Tree : Pt100 Single Faults}
\label{fig:stat_single}
\end{figure}
The Pt100 analysis presents a simple result for single faults.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
\section{Double failure analysis}
CITE PRICE MULTIPLE FAILURE PAPER.
%\clearpage
\section{ Pt100 Double Simultaneous Fault Analysis}
\label{sec:Pt100d}
In this section we examine the failure mode behaviour for all single
faults and double simultaneous faults.
This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
the failure modes in the functional group.
All the single faults have already been proved in the last section.
For the next set of test cases, let us again hypothesise
the failure modes, and then examine each one in detail with
potential divider equation proofs.
Table \ref{tab:ptfmea2} lists all the combinations of double
faults and then hypothesises how the functional~group will react
under those conditions.
\begin{table}[ht]
\caption{Pt100 FMEA Double Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|c|l|l||}
\hline \hline
\textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline
TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline
TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline
\hline
TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline
\hline
TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline
TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline
TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline
\hline
\end{tabular}
\label{tab:ptfmea2}
\end{table}
\subsection{Verifying complete coverage for a cardinality constrained powerset of 2}
\fmodegloss
It is important to check that we have covered all possible double fault combinations.
We can use the equation \ref{eqn:correctedccps2}
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.
\indent{
where:
\begin{itemize}
\item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes.
\item The indexed set $C_j$ represents all components in set $SU$.
\item The function $FM$ takes a component as an argument and returns its set of failure modes.
\item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults.
\end{itemize}
}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
\label{eqn:correctedccps2}
\end{equation}
}
{
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
%\label{eqn:correctedccps2}
\end{equation}
}
$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes.
%
% Factorial of zero is one ! You can only arrange an empty set one way !
Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.
\begin{equation}
|{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}}
- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} }
%\label{eqn:correctedccps2}
\end{equation}
$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).
Expanding the sumations
$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
%\paragraph{Proof of Double Faults Hypothesis}
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to low values
but for the purpose of a safety critical analysis,
all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{unobservability}.
%that must be handled.
\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT }
This cuts the supply from Vcc. Both sense lines will be at zero.
Thus both values will be out of range.
\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN }
Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.
\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT }
This shorts ground to
both of the sense lines.
Both values will be out of range.
\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN }
This shorts both sense lines to Vcc.
Both values will be out of range.
\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN }
This shorts the sense+ to Vcc and causes sense- to float.
The sense+ value will be out of range.
\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN }
This shorts the sense- to Ground.
The sense- value will be out of range.
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
%\clearpage
\ifthenelse{\boolean{pld}}
{
\subsection{Double Faults Represented on a PLD Diagram}
We can show the test cases on a diagram with the double faults residing on regions
corresponding to overlapping contours see figure \ref{fig:plddouble}.
Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddouble}
\end{figure}
We use equation \ref{eqn:correctedccps2} to verify complete coverage for
a given cardinality constraint is not visually obvious.
%
From the diagram it is easy to verify
the number of failure modes considered for each test case, but
not that all for a given cardinality constraint have been included.
}
{
}
\paragraph{Symptom Extraction}
We can now examine the results of the test case analysis and apply symptom abstraction.
In all the test case results we have at least one out of range value, except for
$TC\_7$
which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$,
into the symptom $OUT\_OF\_RANGE$.
As a symptom $TC\_7$ could be described as $FLOATING$.
\ifthenelse{\boolean{pld}}
{
We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddoublesymptom}
\end{figure}
} %% \ifthenelse {\boolean{pld}}
{
}
%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes,
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}.
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
\label{fig:Pt100_doublef}
\end{figure}
} % \ifthenelse {\boolean{pld}}
{
}
\subsection{Statistics}
%%
%% Need to talk abou the `detection time'
%% or `Safety Relevant Validation Time' ref can book
%% EN61508 gives detection calculations to reduce
%% statistical impacts of failures.
%%
If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF
together and find an MTTF for both failing. The FIT value of 12.42 corresponds to
$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
This is an astronomically small MTTF, and so small that it would
probably fall below a threshold to sensibly consider.
However, it is very interesting from a failure analysis perspective,
because here we have found a fault that we cannot detect at this
level. This means that should we wish to cope with
this fault, we need to devise a way of detecting this
condition in higher levels of the system.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}
\section{Critiques}
\subsection{Problems in choosing membership of functional groups}
\subsubsection{Side Effects: A Problem for FMMD analysis}
A problem with modularising according to functionality is that we can have component failures that would
intuitively be associated with one {\fg} that may cause unintended side effects in other
{\fgs}.
@ -299,8 +1247,5 @@ It does uncover a weakness in the FMMD methodology though.
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.
\section{Critiques}
\section{Evaluation}