robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Big move around... me no like....

Browse Source 
Still to do.
Tidy the Pt100 analysis
Make a table of CC for all chapter 5 examples
other stuiff
This commit is contained in:
Robin Clark 2013-01-31 15:42:18 +00:00
parent 1339bcffe9
commit 7bcf4601db
4 changed files with 1553 additions and 1494 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

747
submission_thesis/CH5_Examples/copy.tex
View File

@ -1844,6 +1844,753 @@ We now show the final {\dc} hierarchy in figure~\ref{fig:eulersdfinal}.
The \sd example, shows that FMMD can be applied to mixed digital and analogue circuitry.
\clearpage
\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics}
\label{sec:Pt100}
{
%This section
% shows a practical example of
% one `symptom~abstraction' stage in the FMMD process.
% We take a functional group of base components,
% and using their failure modes, analyse the circuit
% to find failure symptoms.
% These failure symptoms are used to define
% a derived component.
%
%demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows
%how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.
%%
%% STATS MOVED TO FUTURE WORK
%%
For this example we look at an industry standard temperature measurement circuit,
the Pt100. The four wire Pt100 configuration commonly used well known safety critical circuit.
Applying FMMD lets us look at this circuit in a fresh light.
It also demonstrates FMMD coping with component parameter tolerances.
The circuit is described traditionally and then analysed using the FMMD methodology.
%A derived component, representing this circuit is then presented.
The Pt100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
%
%This section looks at the most common configuration, the
%four wire circuit, and analyses it from an FMEA perspective twice.
FMMD is performed twice on this circuit
firstly considering single faults only
%(cardinality constrained powerset of 1)
and again, considering the
possibility of double faults. % (cardinality constrained powerset of 2).
%
% \ifthenelse {\boolean{pld}}
% {
% The section is performed using Propositional Logic
% diagrams to assist the reasoning process.
% }
% {
% }
%
% This chapter describes taking
% the failure modes of the components, analysing the circuit using FMEA
% and producing a failure mode model for the circuit as a whole.
% Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
% from an FMEA perspective as a component itself, with a set of known failure modes.
% }
%
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 four wire circuit}
\label{fig:Pt100}
\end{figure}
\subsection{General Description of Pt100 four wire circuit}
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
from sections of this circuit forming potential dividers, we can determine the
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
%
%
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges}
\label{fig:Pt100vrange}
\end{figure}
%
%
The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
causes a slight voltage
drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the $Pt100$, we can calculate its
resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the $Pt100$ four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types
and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}.
Thus for each component, an analysis is made for each of its failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\fmodegloss
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
\label{fmea}
The Pt100 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram, we consider this a fault.
Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section~\ref{sec:ptbounds}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.
%\paragraph{Consideration of Resistor Tolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also
%be of this accuracy.
%
%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures.
\paragraph{Range and $Pt100$ Calculations}
\label{Pt100temp}
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm Pt100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
Pt100 FMEA analysis in section \ref{fmea}.
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
\begin{table}[ht]
\caption{Pt100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\paragraph{Consideration of Resistor Tolerance.}
%
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example, $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate
the resistance of $R_3$.
%
As Ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{probstat}.
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}
%ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subparagraph{ TC 1 : Voltages $R_1$ SHORT }
With Pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
With Pt100 at 0\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
%
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 4 : Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
\paragraph{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\paragraph{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
%
% A spider can be drawn on the PLD diagram to this effect.
%
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
\ifthenelse{\boolean{pld}}
{
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc_sp}
\end{figure}
}
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:Pt100_singlef}
\end{figure}
}
%From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode.
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage
\section{Double failure analysis}
%CITE PRICE MULTIPLE FAILURE PAPER.
%\clearpage
\section{ Pt100 Double Simultaneous Fault Analysis}
\label{sec:Pt100d}
In this section we examine the failure mode behaviour for all single
faults and double simultaneous faults.
This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
the failure modes in the functional group.
All the single faults have already been proved in the last section.
For the next set of test cases, let us again hypothesise
the failure modes, and then examine each one in detail with
potential divider equation proofs.
Table \ref{tab:ptfmea2} lists all the combinations of double
faults and then hypothesises how the functional~group will react
under those conditions.
\begin{table}[ht]
\caption{Pt100 FMEA Double Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|c|l|l||}
\hline \hline
\textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline
TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline
TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline
\hline
TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline
\hline
TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline
TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline
TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline
\hline
\end{tabular}
\label{tab:ptfmea2}
\end{table}
\subsection{Verifying complete coverage for a cardinality constrained powerset of 2}
\fmodegloss
It is important to check that we have covered all possible double fault combinations.
We can use the equation \ref{eqn:correctedccps2}
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.
\indent{
where:
\begin{itemize}
\item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes.
\item The indexed set $C_j$ represents all components in set $SU$.
\item The function $FM$ takes a component as an argument and returns its set of failure modes.
\item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults.
\end{itemize}
}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
\label{eqn:correctedccps2}
\end{equation}
}
{
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
%\label{eqn:correctedccps2}
\end{equation}
}
$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes.
%
% Factorial of zero is one ! You can only arrange an empty set one way !
Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.
\begin{equation}
|{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}}
- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} }
%\label{eqn:correctedccps2}
\end{equation}
$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).
Expanding the sumations
$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
%\paragraph{Proof of Double Faults Hypothesis}
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to low values
but for the purpose of a safety critical analysis,
all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}.
%that must be handled.
\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT }
This cuts the supply from Vcc. Both sense lines will be at zero.
Thus both values will be out of range.
\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN }
Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.
\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT }
This shorts ground to
both of the sense lines.
Both values will be out of range.
\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN }
This shorts both sense lines to Vcc.
Both values will be out of range.
\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN }
This shorts the sense+ to Vcc and causes sense- to float.
The sense+ value will be out of range.
\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN }
This shorts the sense- to Ground.
The sense- value will be out of range.
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
%\clearpage
\ifthenelse{\boolean{pld}}
{
\subsection{Double Faults Represented on a PLD Diagram}
We can show the test cases on a diagram with the double faults residing on regions
corresponding to overlapping contours see figure \ref{fig:plddouble}.
Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddouble}
\end{figure}
We use equation \ref{eqn:correctedccps2} to verify complete coverage for
a given cardinality constraint is not visually obvious.
%
From the diagram it is easy to verify
the number of failure modes considered for each test case, but
not that all for a given cardinality constraint have been included.
}
{
}
\paragraph{Symptom Extraction}
We can now examine the results of the test case analysis and apply symptom abstraction.
In all the test case results we have at least one out of range value, except for
$TC\_7$
which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$,
into the symptom $OUT\_OF\_RANGE$.
As a symptom $TC\_7$ could be described as $FLOATING$.
\ifthenelse{\boolean{pld}}
{
We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddoublesymptom}
\end{figure}
} %% \ifthenelse {\boolean{pld}}
{
}
%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes,
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}.
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
\label{fig:Pt100_doublef}
\end{figure}
} % \ifthenelse {\boolean{pld}}
{
}
% The resistors R1, R2 form a summing junction

1394
submission_thesis/CH6_Evaluation/copy.tex
View File

File diff suppressed because it is too large Load Diff

211
submission_thesis/CH7_Conclusion/copy.tex
View File

@ -84,3 +84,214 @@ are added to UML diagram in figure \ref{fig:cfg} are represented in figure \ref
\caption{FMMD UML diagram, incorporating Environmental, Operational State and Inhibit gates}
\label{fig:cfg2}
\end{figure}
%% 31JAN2012
\section{Statistics: From base component failure modes to System level events/failures.}
Knowing the statistical likelihood of a component failing can give a good indication
of the reliability of a system, or in the case of dangerous failures, the Safety Integrity Level
of a system.
EN61508~\cite{en61508} requires that statistical data is available and used for all component failure modes
analysed in a system assigned a SIL level.
FMMD, as a bottom up methodology can use component failure mode statistical data, and incorporate it
into its hierarchical model.
By way of example the Pt100 example from section~\{sec:pt100} has been used to demonstrate this.
\subsection{Pt100 Example: Single Failures and statistical data}. %Mean Time to Failure}
Now that we have a model for the failure mode behaviour of the Pt100 circuit
we can look at the statistics associated with each of the failure modes.
The DOD electronic reliability of components
document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating
the
%$\frac{failures}{{10}^6}$
${failures}/{{10}^6}$ % looks better
in hours for a wide range of generic components
\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F
can give conservative reliability figures when applied to
modern components}.
%
Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor
failure statistics, we calculate the reliability of this circuit.
\paragraph{Resistor FIT Calculations}
The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings
and values assigned to its co-efficients are described in table \ref{tab:resistor}.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\fmodegloss
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
\label{resistorfit}
\end{equation}
\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}
Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:
\begin{equation}
0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours}
\label{eqn:resistor}
\end{equation}
While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses.
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example
compromises and uses a 90:10 ratio, for resistor failure.
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}).
This figure is referred to as a FIT\footnote{FIT values are measured as the number of
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the
FIT number the more reliable the fault~mode} Failure in time.
The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in
equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}.
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
\label{thermistorfit}
\end{equation}
\begin{table}[ht]
\caption{Bead type Thermistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
%${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:thermistor}
\end{table}
\begin{equation}
0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours}
\label{eqn:thermistor}
\end{equation}
Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\begin{table}[h+]
\caption{Pt100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline
TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline
\hline
TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline
TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline
\hline
TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\
TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline
\hline
\end{tabular}
\label{tab:stat_single}
\end{table}
The FIT for the circuit as a whole is the sum of MTTF values for all the
test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of
about 360 years per circuit.
A probabilistic tree can now be drawn, with a FIT value for the Pt100
circuit and FIT values for all the component fault modes from which it was calculated.
We can see from this that the most likely fault is the thermistor going OPEN.
This circuit is around 10 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor, this would probably
be the fault~mode we would scrutinise first.
\begin{figure}[h+]
\centering
\includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png}
% stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327
\caption{Probablistic Fault Tree : Pt100 Single Faults}
\label{fig:stat_single}
\end{figure}
The Pt100 analysis presents a simple result for single faults.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
\subsection{Pt100 Example: Double Failures and statistical data}
Because we can perform double simultaneous failure analysis under FMMD
we can also apply failure rate statistics to double failures.
%
%%
%% Need to talk abou the `detection time'
%% or `Safety Relevant Validation Time' ref can book
%% EN61508 gives detection calculations to reduce
%% statistical impacts of failures.
%%
%
If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the combinations failures in table~\label{tab:ptfmea2}.
The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF
together and find an MTTF for both failing. The FIT value of 12.42 corresponds to
$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
This is an astronomically small MTTF, and so small that it would
probably fall below a threshold to sensibly consider.
However, it is very interesting from a failure analysis perspective,
because here we have found a fault that we cannot detect at this
level. This means that should we wish to cope with
this fault, we need to devise a way of detecting this
condition in higher levels of the system.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}

695
submission_thesis/appendixes/formal.tex
View File

@ -1,609 +1,96 @@
%%%% FORMAL DEFINITIONS %%%% THESE MIGHT BE MOVED TO AN APPENDIX
\chapter{Formal Definitions}
\label{sec:formalfmmd}
\section{An algebraic notation for identifying FMMD enitities}
Consider all `components' to exist as
members of a set $\mathcal{C}$.
%
Each component $c$ has an associated set of failure modes.
We can define a function $fm$ that returns a
set of failure modes $F$, for the component $c$.
Let the set of all possible components be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$.
We now define the function $fm$
as
\begin{equation}
\label{eqn:fm}
fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}.
\end{equation}
This is defined by, where $c$ is a component and $F$ is a set of failure modes,
$ fm ( c ) = F. $
We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection
of components.
%We thus define $FG$ as a set of chosen components defining
%a {\fg}; all functional groups
We can state that
{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $
We can overload the $fm$ function for a functional group {\FG}
where it will return all the failure modes of the components in {\FG}
given by
$$ fm ({\FG}) = F. $$
Generally, where $\mathcal{{\FG}}$ is the set of all functional groups,
\begin{equation}
fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}.
\end{equation}
\section{Relationships between functional~groups and failure modes}
Let the set of all possible components be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$
is the power-set of $\mathcal{F}$.
In order to analyse failure mode effects we need to be able to determine the
failure modes of a component. We define a function $fm$ to perform this (see equation~\ref{eqn:fmset}).
\label{fmdef}
\begin{equation}
fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}
\label{eqn:fmset}
\end{equation}
%%
% Above def gives below anyway
%
%The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes.
%
%\begin{equation}
% fm ( C ) = F
% \label{eqn:fminstance}
%\end{equation}
\paragraph{Finding all failure modes within the functional group.}
For FMMD failure mode analysis %we need to consider the failure modes
from all the components in a functional~group.
In a functional group we have a collection of Components
which have associated failure mode sets.
we need to collect failure mode sets from the components and place them all
%modes
into a single set; this can be termed flattening the set of sets.
%%Consider the components in a functional group to be $C_1...C_N$.
The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components
in the functional~group and taking the union of them thus:
%%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$
$$ FSF = \bigcup_{c \in FG} fm(c) \; .$$
We can actually overload the notation for the function $fm$ % FM
and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $)
in equation \ref{eqn:fmoverload}.
\begin{equation}
fm : \mathcal{FG} \rightarrow \mathcal{F}
\label{eqn:fmoverload}
\end{equation}
\section{Unitary State Component Failure Mode sets}
\label{sec:unitarystate}
\paragraph{Design Descision/Constraint}
An important factor in defining a set of failure modes is that they
should represent the failure modes as simply and minimally as possible.
It should not be possible, for instance, for
a component to have two or more failure modes active at once.
Were this to be the case, we would have to consider additional combinations of
failure modes within the component.
Having a set of failure modes where $N$ modes could be active simultaneously
would mean having to consider an additional $2^N-1$ failure mode scenarios.
Should a component be analysed and simultaneous failure mode cases exist,
the combinations could be represented by new failure modes, or
the component should be considered from a fresh perspective,
perhaps considering it as several smaller components
within one package.
This property, failure modes being mutually exclusive, is termed `unitary state failure modes'
in this study.
This corresponds to the `mutually exclusive' definition in
probability theory~\cite{probstat}.
\begin{definition}
A set of failure modes where only one failure mode
can be active at one time is termed a {\textbf{unitary~state}} failure mode set.
\end{definition}
Let the set of all possible components be $ \mathcal{C}$
and let the set of all possible failure modes be $ \mathcal{F}$.
The set of failure modes of a particular component are of interest
here.
What is required is to define a property for
a set of failure modes where only one failure mode can be active at a time;
or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive
with a set $F$.
We can define a set of failure mode sets called $\mathcal{U}$ to represent this
property for a set of failure modes.
\begin{definition}
We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where
the component failure modes in each of its members are unitary~state.
Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true.
\end{definition}
\section{Component failure modes: Unitary State example}
An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor.
Electrical resistors can fail by going OPEN or SHORTED.
For a given resistor R we can apply the
function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
A resistor cannot fail with the conditions open and short active at the same time,
that would be physically impossible! The conditions
OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
%
%
%Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
% %%%% FORMAL DEFINITIONS %%%% THESE MIGHT BE MOVED TO AN APPENDIX
%
The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
therefore
$ fm(R) \in \mathcal{U} $.
We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
of component failure modes.
We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns
whether a fault mode is active (true) or dormant (false).
We can say that if any pair of fault modes is active at the same time, then the failure mode set is not
unitary state:
we state this formally
\begin{equation}
\exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U}
\end{equation}
%
%
% \chapter{Formal Definitions}
% \label{sec:formalfmmd}
% \section{An algebraic notation for identifying FMMD enitities}
% Consider all `components' to exist as
% members of a set $\mathcal{C}$.
% %
% Each component $c$ has an associated set of failure modes.
% We can define a function $fm$ that returns a
% set of failure modes $F$, for the component $c$.
%
% Let the set of all possible components be $\mathcal{C}$
% and let the set of all possible failure modes be $\mathcal{F}$.
%
% We now define the function $fm$
% as
% \begin{equation}
% \label{eqn:fm}
% fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}.
% \end{equation}
% This is defined by, where $c$ is a component and $F$ is a set of failure modes,
% $ fm ( c ) = F. $
%
% We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection
% of components.
% %We thus define $FG$ as a set of chosen components defining
% %a {\fg}; all functional groups
% We can state that
% {\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $
%
% We can overload the $fm$ function for a functional group {\FG}
% where it will return all the failure modes of the components in {\FG}
%
%
% given by
%
% $$ fm ({\FG}) = F. $$
%
% Generally, where $\mathcal{{\FG}}$ is the set of all functional groups,
%
% \begin{equation}
% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U
% fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}.
% \end{equation}
% \section{Relationships between functional~groups and failure modes}
%
% Let the set of all possible components be $\mathcal{C}$
% and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$
% is the power-set of $\mathcal{F}$.
%
% In order to analyse failure mode effects we need to be able to determine the
% failure modes of a component. We define a function $fm$ to perform this (see equation~\ref{eqn:fmset}).
% \label{fmdef}
%
% \begin{equation}
% fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}
% \label{eqn:fmset}
% \end{equation}
%
% %%
% % Above def gives below anyway
% %
% %The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes.
% %
% %\begin{equation}
% % fm ( C ) = F
% % \label{eqn:fminstance}
% %\end{equation}
%
% \paragraph{Finding all failure modes within the functional group.}
%
% For FMMD failure mode analysis %we need to consider the failure modes
% from all the components in a functional~group.
% In a functional group we have a collection of Components
% which have associated failure mode sets.
% we need to collect failure mode sets from the components and place them all
% %modes
% into a single set; this can be termed flattening the set of sets.
% %%Consider the components in a functional group to be $C_1...C_N$.
% The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components
% in the functional~group and taking the union of them thus:
%
% %%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$
% $$ FSF = \bigcup_{c \in FG} fm(c) \; .$$
%
% We can actually overload the notation for the function $fm$ % FM
% and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $)
% in equation \ref{eqn:fmoverload}.
%
% \begin{equation}
% fm : \mathcal{FG} \rightarrow \mathcal{F}
% \label{eqn:fmoverload}
% \end{equation}
That is to say that it is impossible that any pair of failure modes can be active at the same time
for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$.
Note where there are more than two failure~modes,
by banning any pairs from being active at the same time,
we have banned larger combinations as well.
\subsection{Design Rule: Unitary State}
All components must have unitary state failure modes to be used with the FMMD methodology and
for base~components this is usually the case. Most simple components fail in one
clearly defined way and generally stay in that state.
However, where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made.
We can term this `heuristic~de-composition'.
A modern micro-controller will typically have several modules, which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
For instance the voltage reading functions which consist
of an ADC multiplexer and ADC can be considered to be components
inside the micro-controller package.
The micro-controller thus becomes a collection of smaller components
that can be analysed separately~\footnote{It is common for the signal paths
in a safety critical product to be traced, and when entering a complex
component like a micro-controller, the process of heuristic de-compostion
is then applied to it.}.
\paragraph{Reason for Constraint.} Were this constraint to not be applied
each component would not contribute $N$ failure modes to consider but potentially
$2^N$.
%
This would make the job of analysing the failure modes
in a {\fg} impractical due to the sheer size of the task.
%Note that the `unitary state' conditions apply to failure modes within a component.
%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos
\section{Handling Simultaneous Component Faults}
For some integrity levels of static analysis, there is a need to consider not only single
failure modes in isolation, but cases where more then one failure mode may occur
simultaneously.
%
Note that the `unitary state' conditions apply to failure modes within a component.
This does not preclude the possibility of two or more components failing simultaneously.
%
%The scenarios presented deal with possibility of two or more components failing simultaneously.
%
It is an implied requirement of EN298~\cite{en298} for instance to
consider double simultaneous faults\footnote{Under the conditions
of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already.
However, from the perspective of static failure mode analysis, this amounts
to dealing with double simultaneous failure modes.}.
%
To generalise, we may need to consider $N$ simultaneous
failure modes when analysing a functional group.
%
This involves finding
all combinations of failures modes of size $N$ and less.
%The Powerset concept from Set theory is useful to model this.
%
The power-set, when applied to a set S is the set of all subsets of S, including the empty set
\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
is no fault active in the functional~group under analysis.}
and S itself.
%
We augment the power-set concept here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures.
%
In order to consider combinations for the set S where the number of elements in
each subset of S is $N$ or less, a concept of the `cardinality constrained power-set'
is proposed and described in the next section.
%\pagebreak[1]
\section{Cardinality Constrained Power-set }
\label{ccp}
A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold
are not included. This threshold is called the cardinality constraint.
To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
Consider the set $S = \{a,b,c\}$.
The power-set of S:
$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$
$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is
less than or equal to 2.
$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$
Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is:
$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$.
\paragraph{Calculating the number of elements in a cardinality constrained power-set}
A $k$ combination is a subset with $k$ elements.
The number of $k$ combinations (each of size $k$) from a set $S$
with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}.
\begin{equation}
C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} .
\label{bico}
\end{equation}
To find the number of elements in a cardinality constrained subset S with up to $cc$ elements
in each combination sub-set,
we need to sum the combinations,
%subtracting $cc$ from the final result
%(repeated empty set counts)
from $1$ to $cc$ thus
%
% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$
%
\begin{equation}
|{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc
\label{eqn:ccps}
\end{equation}
\subsection{Actual Number of combinations to check with Unitary State Fault mode sets}
If all of the fault modes in $S$ were independent,
the cardinality constrained power-set
calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check.
Because sets of failure modes in FMMD analysis are constrained to be unitary state,
the actual number of test cases to check will usually
be less than this.
This is because combinations of faults within a components failure mode set
are impossible under the conditions of unitary state failure mode.
To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations'
for each component in the functional group under analysis.
Note we must sequentially subtract using combinations above 1 up to the cardinality constraint.
For example, say
the cardinality constraint was 3, we would need to subtract both
$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group.
\subsubsection{Example: Two Component functional group cardinality Constraint of 2}
For example: suppose we have a simple functional group with two components R and T, of which
$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$
This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set
of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$
For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$),
applying equation \ref{eqn:ccps} gives :-
$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$
This is composed of ${5 \choose 1}$
five single fault modes, and ${5 \choose 2}$ ten double fault modes.
However we know that the faults are mutually exclusive within a component.
We must then subtract the number of `internal' component fault combinations
for each component in the functional~group.
For component R there is only one internal component fault that cannot exist
$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has
three fault modes ${3 \choose 2} = 3$.
Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$.
The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified
by listing all the required combinations:
$$ \mathcal{P}_{2}(fm(FG)) = \{
\{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
\}
$$
and whose cardinality is 11. % by inspection
%$$
%|
%\{
% \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \}
%\}
%| = 11
%$$
\pagebreak[1]
\subsubsection{Establishing Formulae for unitary state failure mode
cardinality calculation}
The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for
unitary state failure modes.
%This is written as a general formula in equation \ref{eqn:correctedccps}.
%\indent{
%To define terms :
%\begin{itemize}
%\item
Let $C$ be a set of components (indexed by $j \in J$)
that are members of the functional group $FG$
i.e. $ \forall j \in J | C_j \in FG $.
%\item
Let $|fm({C}_{j})|$
indicate the number of mutually exclusive fault modes of component $C_j$.
%\item
Let $fm(FG)$ be the collection of all failure modes
from all the components in the functional group.
%\item
Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that
components $C_j$ are in
`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then
%\end{itemize}
%}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} .
\label{eqn:correctedccps}
\end{equation}
Expanding the combination in equation \ref{eqn:correctedccps}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } .
\label{eqn:correctedccps2}
\end{equation}
\paragraph{Use of Equation \ref{eqn:correctedccps2} }
Equation \ref{eqn:correctedccps2} is useful for an automated tool that
would verify that a single or double simultaneous failures model has complete failure mode coverage.
By knowing how many test cases should be covered, and checking the cardinality
associated with the test cases, complete coverage would be verified.
%\paragraph{Multiple simultaneous failure modes disallowed combinations}
%The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs
%of failure modes within components, but also ensuring that combinations across components
%do not involve any pairs of failure modes within the same component.
%%%%- NOT SURE ABOUT THAT !!!!!
%%%- A recursive algorithm and proof is described in appendix \ref{chap:vennccps}.
%%\paragraph{Practicality}
%%Functional Group may consist, typically of four or five components, which typically
%%have two or three failure modes each. Taking a worst case of mutiplying these
%%by a factor of five (the number of failure modes and components) would give
%%$25 \times 15 = 375$
%%
%%
%%
%%\begin{verbatim}
%%
%%# define a factorial function
%%# gives 1 for negative values as well
%%define f(x) {
%% if (x>1) {
%% return (x * f (x-1))
%% }
%% return (1)
%%
%%}
%%define u1(c,x) {
%% return f(c*x)/(f(1)*f(c*x-1))
%%}
%%define u2(c,x) {
%% return f(c*x)/(f(2)*f(c*x-2))
%%}
%%
%%define uc(c,x) {
%% return c * f(x)/(f(2)*f(x-2))
%%}
%%
%%# where c is number of components, and x is number of failure modes
%%# define function u to calculate combinations to check for double sim failure modes
%%define u(c,x) {
%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2))
%%}
%%
%%
%%\end{verbatim}
%%
\pagebreak[1]
\section{Component Failure Modes and Statistical Sample Space}
%\paragraph{NOT WRITTEN YET PLEASE IGNORE}
A sample space is defined as the set of all possible outcomes.
For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct')
operating state and all its failure modes.
We can consider failure modes as events in the sample space.
%
When dealing with failure modes, we are not interested in
the state where the component is working correctly or `OK' (i.e. operating with no error).
%
We are interested only in ways in which it can fail.
By definition, while all components in a system are `working~correctly',
that system will not exhibit faulty behaviour.
%
We can say that the OK state corresponds to the empty set.
%
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
The failure mode set $F$ for a given component or derived~component $C$
is therefore
$ fm(C) = \Omega(C) \backslash \{OK\} $
(or expressed as
$ \Omega(C) = fm(C) \cup \{OK\} $).
The $OK$ statistical case is the (usually) largest in probability, and is therefore
of interest when analysing systems from a statistical perspective.
This is of interest for the application of conditional probability calculations
such as Bayes theorem~\cite{probstat}.
The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian
statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}.
That is to say, a base component or a sub-system failure
has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds
to the probability that a given part failure mode will cause a given system level failure/event.}.
Another way to view this is to consider the failure modes of a
component, with the $OK$ state, as a universal set $\Omega$, where
all sets within $\Omega$ are partitioned.
Figure \ref{fig:partitioncfm} shows a partitioned set representing
component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets
where the OK or empty set condition is included, obey unitary state conditions.
Because the subsets of $\Omega$ are partitioned, we can say these
failure modes are unitary state.
\begin{figure}[h]
\centering
\includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png}
% partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264
\caption{Base Component Failure Modes with OK mode as partitioned set}
\label{fig:partitioncfm}
\end{figure}
\section{Components with Independent failure modes}
Suppose that we have a component that can fail simultaneously
with more than one failure mode.
This would make it seemingly impossible to model as `unitary state'.
\paragraph{De-composition of complex component.}
There are two ways in which we can deal with this.
We could consider the component a composite
of two simpler components, and model their interaction to
create a derived component.
\ifthenelse {\boolean{paper}}
{
This technique is outside the scope of this paper.
}
{
%This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled.
}
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with three failure modes as partitioned sets}
\label{fig:combco}
\end{figure}
\paragraph{Combinations become new failure modes.}
Alternatively, we could consider the combinations
of the failure modes as new failure modes.
We can model this using an Euler diagram representation of
an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in
the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}.
For the purpose of example let us consider $\{ B_2, B_3 \}$
to be intrinsically mutually exclusive, but $B_1$ to be independent.
This means the we have the possibility of two new combinations
$ B_1 \cap B_2$ and $ B_1 \cap B_3$.
We can represent these
as shaded sections of figure \ref{fig:combco2}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with three failure modes where $B_1$ is independent}
\label{fig:combco2}
\end{figure}
We can calculate the probabilities for the shaded areas
assuming the failure modes are statistically independent
by multiplying the probabilities of the members of the intersection.
We can use the function $P$ to return the probability of a
failure mode, or combination thereof.
Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png}
% compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247
\caption{Component with two new failure modes}
\label{fig:combco3}
\end{figure}
We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}).
Because of the combinations, the probabilities for the failure modes
$B_1, B_2$ and $B_3$ will now reduce.
We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e.
$B_1^\prime$ represents the altered value for $B_1$.
Thus
$$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$
$$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$
$$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$
We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}.
We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$.