From 7bcf4601db33c8589fa055f0cae3245856f97de3 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Thu, 31 Jan 2013 15:42:18 +0000 Subject: [PATCH] Big move around... me no like.... Still to do. Tidy the Pt100 analysis Make a table of CC for all chapter 5 examples other stuiff --- submission_thesis/CH5_Examples/copy.tex | 747 +++++++++++ submission_thesis/CH6_Evaluation/copy.tex | 1394 ++++++++------------- submission_thesis/CH7_Conclusion/copy.tex | 211 ++++ submission_thesis/appendixes/formal.tex | 695 ++-------- 4 files changed, 1553 insertions(+), 1494 deletions(-) diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 20266e4..3a04d09 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -1844,6 +1844,753 @@ We now show the final {\dc} hierarchy in figure~\ref{fig:eulersdfinal}. The \sd example, shows that FMMD can be applied to mixed digital and analogue circuitry. +\clearpage +\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics} +\label{sec:Pt100} +{ +%This section +% shows a practical example of +% one `symptom~abstraction' stage in the FMMD process. +% We take a functional group of base components, +% and using their failure modes, analyse the circuit +% to find failure symptoms. +% These failure symptoms are used to define +% a derived component. +% +%demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows +%how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms. +%% +%% STATS MOVED TO FUTURE WORK +%% +For this example we look at an industry standard temperature measurement circuit, +the Pt100. The four wire Pt100 configuration commonly used well known safety critical circuit. +Applying FMMD lets us look at this circuit in a fresh light. +It also demonstrates FMMD coping with component parameter tolerances. +The circuit is described traditionally and then analysed using the FMMD methodology. + + +%A derived component, representing this circuit is then presented. + + +The Pt100, or platinum wire \ohms{100} sensor is +a widely used industrial temperature sensor that is +slowly replacing the use of thermocouples in many +industrial applications below 600\oc, due to high accuracy\cite{aoe}. +% +%This section looks at the most common configuration, the +%four wire circuit, and analyses it from an FMEA perspective twice. +FMMD is performed twice on this circuit +firstly considering single faults only +%(cardinality constrained powerset of 1) +and again, considering the +possibility of double faults. % (cardinality constrained powerset of 2). +% +% \ifthenelse {\boolean{pld}} +% { +% The section is performed using Propositional Logic +% diagrams to assist the reasoning process. +% } +% { +% } +% +% This chapter describes taking +% the failure modes of the components, analysing the circuit using FMEA +% and producing a failure mode model for the circuit as a whole. +% Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed +% from an FMEA perspective as a component itself, with a set of known failure modes. +% } +% +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} + % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{Pt100 four wire circuit} + \label{fig:Pt100} +\end{figure} + + +\subsection{General Description of Pt100 four wire circuit} + +The Pt100 four wire circuit uses two wires to supply a small electrical current, +and returns two sense voltages by the other two. +By measuring voltages +from sections of this circuit forming potential dividers, we can determine the +resistance of the platinum wire sensor. The resistance +of this is directly related to temperature, and may be determined by +look-up tables or a suitable polynomial expression. +% +% +\begin{figure}[h] + \centering + \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} + % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{Pt100 expected voltage ranges} + \label{fig:Pt100vrange} +\end{figure} +% +% +The voltage ranges we expect from this three stage potential divider\footnote{ +two stages are required for validation, a third stage is used to measure the current flowing +through the circuit to obtain accurate temperature readings} +are shown in figure \ref{fig:Pt100vrange}. Note that there is +an expected range for each reading, for a given temperature span. +Note that the low reading goes down as temperature increases, and the higher reading goes up. +For this reason the low reading will be referred to as {\em sense-} +and the higher as {\em sense+}. + +\paragraph{Accuracy despite variable resistance in cables} + +For electronic and accuracy reasons, a four wire circuit is preferred +because of resistance in the cables. Resistance from the supply + causes a slight voltage +drop in the supply to the $Pt100$. As no significant current +is carried by the two `sense' lines, the resistance back to the ADC +causes only a negligible voltage drop, and thus the four wire +configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across +the thermistor only and not the voltage across the thermistor and current supply wire resistance.}. + +\paragraph{Calculating Temperature from the sense line voltages} + +The current flowing though the +whole circuit can be measured on the PCB by reading a third +sense voltage from one of the load resistors. Knowing the current flowing +through the circuit +and knowing the voltage drop over the $Pt100$, we can calculate its +resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. +Thus a little loss of supply current due to resistance in the cables +does not impinge on accuracy. +The resistance to temperature conversion is achieved +through the published $Pt100$ tables\cite{eurothermtables}. +The standard voltage divider equations (see figure \ref{fig:vd} and +equation \ref{eqn:vd}) can be used to calculate +expected voltages for failure mode and temperature reading purposes. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} + % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 + \caption{Voltage Divider} + \label{fig:vd} +\end{figure} +%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. + +\begin{equation} +\label{eqn:vd} + V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +\end{equation} + +\subsection{Safety case for 4 wire circuit} + +This sub-section looks at the behaviour of the $Pt100$ four wire circuit +for the effects of component failures. +All components have a set of known `failure modes'. +In other words we know that a given component can fail in several distinct ways. +Studies have been published which list common component types +and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. +Thus for each component, an analysis is made for each of its failure modes, +with respect to its effect on the +circuit. Each one of these scenarios is termed a `test case'. +The resultant circuit behaviour for each of these test cases is noted. +The worst case for this type of +analysis would be a fault that we cannot detect. +Where this occurs a circuit re-design is probably the only sensible course of action. + +\fmodegloss + +\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.} + +\label{fmea} +The Pt100 circuit consists of three resistors, two `current~supply' +wires and two `sensor' wires. +Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, +%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. +%Should wires become disconnected these will have the same effect as +%given resistors going open. +For the purpose of this analyis; +$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, +$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground. + +We can define the terms `High Fault' and `Low Fault' here, with reference to figure +\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone +in the diagram, we consider this a fault. +Should the reading be above its expected range, this is a `High Fault' +and if below a `Low Fault'. + +Table \ref{ptfmea} plays through the scenarios of each of the resistors failing +in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. +The range {0\oc} to {300\oc} will be analysed using potential divider equations to +determine out of range voltage limits in section~\ref{sec:ptbounds}. + +\begin{table}[ht] +\caption{Pt100 FMEA Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline +$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline + \hline +$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline + $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline +\hline +$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ + $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline +\hline +\end{tabular} +\label{ptfmea} +\end{table} + +From table \ref{ptfmea} it can be seen that any component failure in the circuit +should cause a common symptom, that of one or more of the values being `out of range'. +Temperature range calculations and detailed calculations +on the effects of each test case are found in section \ref{Pt100range} +and \ref{Pt100temp}. + +%\paragraph{Consideration of Resistor Tolerance} +% +%The separate sense lines ensure the voltage read over the Pt100 thermistor are not +%altered due to having to pass any significant current. +%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +%One or other of the load resistors (the one we measure current over) should also +%be of this accuracy. +% +%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient +%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to +%a narrow temperature range anyway, being mounted on a PCB. +%\glossary{{PCB}{Printed Circuit Board}} +%To calculate the resistance of the Pt100 element % (and thus derive its temperature), +%having the voltage over it, we now need the current. +%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. +%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). +%We can calculate the current by reading +%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} +%As these calculations are performed by ohms law, which is linear, the accuracy of the reading +%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +%take the mean square error of these accuracy figures. + +\paragraph{Range and $Pt100$ Calculations} +\label{Pt100temp} +$Pt100$ resistors are designed to +have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. +A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} +for a given application. +According to the Eurotherm Pt100 +tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} +and \ohms{212.02} respectively. From this the potential divider circuit can be +analysed and the maximum and minimum acceptable voltages determined. +These can be used as bounds results to apply the findings from the +Pt100 FMEA analysis in section \ref{fmea}. + +As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, +the upper and lower readings can be calculated thus: + + +$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$ +So by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds, we can be confident that none of the +resistors in this circuit has failed. + +To convert these to twelve bit ADC (\adctw) counts: + +$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$ + + +\begin{table}[ht] +\caption{Pt100 Maximum and Minimum Values} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|c|l|l||} +\hline \hline + \textbf{Temperature} & \textbf{Pt100 resistance} & +\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ +\hline +% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ +% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline + {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ + & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline + {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ + & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline +\hline +\end{tabular} +\label{ptbounds} +\end{table} + +Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that +for any single error (short or opening of any resistor) this bounds check +will detect it. + + + +\paragraph{Consideration of Resistor Tolerance.} +% +\label{sec:ptbounds} +The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not +altered by having to pass any significant current. The current is supplied +by separate wires and the resistance in those are effectively cancelled +out by considering the voltage reading over $R_3$ to be relative. +% +The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +One or other of the load resistors (the one over which we measure current) should also +be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an +accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. +% +The \ohms{2k2} loading resistors should have a good temperature co-effecient +(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). +% +To calculate the resistance of the Pt100 element % (and thus derive its temperature), +knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. +% +Lets use, for the sake of example, $R_2$ to measure the current. +% +We can calculate the current $I$, by reading +the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate +the resistance of $R_3$. +% +As Ohms law is linear, the accuracy of the reading +will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +take the mean square error of these accuracy figures~\cite{probstat}. + + +\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} + + +\ifthenelse{\boolean{pld}} +{ +\paragraph{Single Fault Modes as PLD} + +The component~failure~modes in table \ref{ptfmea} can be represented as contours +on a PLD diagram. +Each test case, is defined by the contours that enclose +it. The test cases here deal with single faults only +and are thus enclosed by one contour each. +\fmodegloss +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png} + % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{Pt100 Component Failure Modes} + \label{fig:Pt100_tc} +\end{figure} +} % \ifthenelse {\boolean{pld}} + +%ating input Fault +This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. +To establish the valid voltage ranges for these, and knowing our +valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate +valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} +for the circuit shown in figure \ref{fig:vd}. + + + + +\paragraph{Proof of Out of Range Values for Failures} +\label{pt110range} +Using the temperature ranges defined above we can compare the voltages +we would get from the resistor failures to prove that they are +`out of range'. There are six test cases and each will be examined in turn. + +\subparagraph{ TC 1 : Voltages $R_1$ SHORT } +With Pt100 at 0\oc +$$ highreading = 5V $$ +Since the highreading or sense+ is directly connected to the 5V rail, +both temperature readings will be 5V.. +$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ +With Pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V $$ +$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ + +Thus with $R_1$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\paragraph{ TC 2 : Voltages $R_1$ OPEN } + +In this case the 5V rail is disconnected. All voltages read are 0V, and +therefore both readings are outside the +proscribed range in table \ref{ptbounds}. + + +\paragraph{ TC 3 : Voltages $R_2$ SHORT } + +With Pt100 at 0\oc +$$ lowreading = 0V $$ +Since the lowreading or sense- is directly connected to the 0V rail, +both temperature readings will be 0V. +$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ +With Pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ +% +Thus with $R_2$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\paragraph{ TC 4 : Voltages $R_2$ OPEN } +Here there is no potential divider operating and both sense lines +will read 5V, outside of the proscribed range. + + +\paragraph{ TC 5 : Voltages $R_3$ SHORT } + +Here the potential divider is simply between +the two 2k2 load resistors. Thus it will read a nominal; +2.5V. + +Assuming the load resistors are +precision components, and then taking an absolute worst case of 1\% either way. + +$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ + +$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ + +These readings both lie outside the proscribed range. +Also the sense+ and sense- readings would have the same value. + +\paragraph{ TC 6 : Voltages $R_3$ OPEN } + +Here the potential divider is broken. The sense- will read 0V and the sense+ will +read 5V. Both readings are outside the proscribed range. + +\subsection{Summary of Analysis} + +All six test cases have been analysed and the results agree with the hypothesis +put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the +symptoms. In this case there is a common and easily detected symptom for all these single +resistor faults : Voltage out of range. +% +% A spider can be drawn on the PLD diagram to this effect. +% +In practical use, by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds, we can be confident that none of the +resistors in this circuit has failed. + +\ifthenelse{\boolean{pld}} +{ +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png} + % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{Pt100 Component Failure Modes} + \label{fig:Pt100_tc_sp} +\end{figure} +} + + +\subsection{Derived Component : The Pt100 Circuit} +The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, +{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a +fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$ +has been developed for safety critical temperature measurement. +% +\ifthenelse{\boolean{pld}} +{ +It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png} + % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis} + \label{fig:Pt100_singlef} +\end{figure} +} + +%From the single faults (cardinality constrained powerset of 1) analysis, we can now create +%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \} +%as its single failure mode. + + +%Interestingly we can calculate the failure statistics for this circuit now. +%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ??? +%\clearpage + + + +\section{Double failure analysis} + +%CITE PRICE MULTIPLE FAILURE PAPER. + +%\clearpage +\section{ Pt100 Double Simultaneous Fault Analysis} +\label{sec:Pt100d} +In this section we examine the failure mode behaviour for all single +faults and double simultaneous faults. +This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of +the failure modes in the functional group. +All the single faults have already been proved in the last section. +For the next set of test cases, let us again hypothesise +the failure modes, and then examine each one in detail with +potential divider equation proofs. + +Table \ref{tab:ptfmea2} lists all the combinations of double +faults and then hypothesises how the functional~group will react +under those conditions. + +\begin{table}[ht] +\caption{Pt100 FMEA Double Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|l|c|c|l|l||} +\hline \hline + \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline + TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline +\hline + TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline + TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline +\hline + + TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline +TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline +\hline + TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline + +\hline + TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline +TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline +TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline +\hline +\end{tabular} +\label{tab:ptfmea2} +\end{table} + +\subsection{Verifying complete coverage for a cardinality constrained powerset of 2} + +\fmodegloss + + +It is important to check that we have covered all possible double fault combinations. +We can use the equation \ref{eqn:correctedccps2} +\ifthenelse {\boolean{paper}} +{ +from the definitions paper +\ref{pap:compdef} +, +reproduced below to verify this. + +\indent{ + where: + \begin{itemize} + \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. + \item The indexed set $C_j$ represents all components in set $SU$. + \item The function $FM$ takes a component as an argument and returns its set of failure modes. + \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. + \end{itemize} +} +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + \label{eqn:correctedccps2} +\end{equation} + +} +{ +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + %\label{eqn:correctedccps2} +\end{equation} +} + + +$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. + +% +% Factorial of zero is one ! You can only arrange an empty set one way ! + +Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. +%is always 2 for this circuit, as all the components are resistors and have two failure modes. + +\begin{equation} + |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} +- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } + %\label{eqn:correctedccps2} +\end{equation} + +$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check +under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). + +Expanding the sumations + + +$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ + +$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ + +As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double) +we can be confident that we have looked at all `double combinations' of the possible faults +in the Pt100 circuit. The next task is to investigate +these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. + + +%\paragraph{Proof of Double Faults Hypothesis} + +\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } +\label{Pt100:bothfloating} +This double fault mode produces an interesting symptom. +Both sense lines are floating. +We cannot know what the {\adctw} readings on them will be. +% +In practise these would probably float to low values +but for the purpose of a safety critical analysis, +all we can say is that the values are `floating' and `unknown'. +This is an interesting case, because it is, at this stage an undetectable---or unobservable--- +fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}. +%that must be handled. + + +\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } + +This cuts the supply from Vcc. Both sense lines will be at zero. +Thus both values will be out of range. + + +\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } + +Sense- will be floating. +Sense+ will be tied to Vcc and will thus be out of range. + +\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } + +This shorts ground to +both of the sense lines. +Both values will be out of range. + +\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } + +This shorts both sense lines to Vcc. +Both values will be out of range. + + +\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + + +\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + +\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } + +This shorts the sense+ to Vcc and causes sense- to float. +The sense+ value will be out of range. + + +\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + + + + + +\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } + +This shorts the sense- to Ground. +The sense- value will be out of range. + + +\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +%\clearpage + +\ifthenelse{\boolean{pld}} +{ +\subsection{Double Faults Represented on a PLD Diagram} + +We can show the test cases on a diagram with the double faults residing on regions +corresponding to overlapping contours see figure \ref{fig:plddouble}. +Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{Pt100 Double Simultaneous Faults} + \label{fig:plddouble} +\end{figure} + +We use equation \ref{eqn:correctedccps2} to verify complete coverage for +a given cardinality constraint is not visually obvious. +% +From the diagram it is easy to verify +the number of failure modes considered for each test case, but +not that all for a given cardinality constraint have been included. +} +{ +} + +\paragraph{Symptom Extraction} + +We can now examine the results of the test case analysis and apply symptom abstraction. +In all the test case results we have at least one out of range value, except for +$TC\_7$ +which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, +into the symptom $OUT\_OF\_RANGE$. +As a symptom $TC\_7$ could be described as $FLOATING$. + +\ifthenelse{\boolean{pld}} +{ +We can thus draw a PLD diagram representing the +failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures, +in figure \ref{fig:Pt100_doublef}. + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{Pt100 Double Simultaneous Faults} + \label{fig:plddoublesymptom} +\end{figure} +} %% \ifthenelse {\boolean{pld}} +{ +} + +%\clearpage +\subsection{Derived Component : The Pt100 Circuit} +The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, +{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. + +\ifthenelse{\boolean{pld}} +{ +It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}. +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png} + % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis} + \label{fig:Pt100_doublef} +\end{figure} +} % \ifthenelse {\boolean{pld}} +{ +} + % The resistors R1, R2 form a summing junction diff --git a/submission_thesis/CH6_Evaluation/copy.tex b/submission_thesis/CH6_Evaluation/copy.tex index 0fb2436..4143ca0 100644 --- a/submission_thesis/CH6_Evaluation/copy.tex +++ b/submission_thesis/CH6_Evaluation/copy.tex @@ -14,12 +14,15 @@ and then formulae are presented for calculating the complexity of applying FMEA to a group of components. % These formulae are then used for a hypothetical example, which is analysed by both FMEA and FMMD. + +Following on from the formal definitions, `unitary state failure modes' are defined. In short these +ensure that component failure modes are mutually exclusive. -FMMD makes the claim that it can perform double simultaneous failure mode analysis without an undue -state explosion drawback. -To support this, an example of single and double failure analysis is provided, using the four wire Pt100 -temperature measurement sensor circuit. This example is also used to show how component failure rate statistics can be -used with FMMD. +% MOVE TO CH5 FMMD makes the claim that it can perform double simultaneous failure mode analysis without an undue +% MOVE TO CH5 state explosion drawback. +% MOVE TO CH5 To support this, an example of single and double failure analysis is provided, using the four wire Pt100 +% MOVE TO CH5 temperature measurement sensor circuit. This example is also used to show how component failure rate statistics can be +% MOVE TO CH5 used with FMMD. This is followed by some critiques i.e. possible areas of difficulty when performing FMMD, and then a general evaluation. % comparing it with traditional FMEA. @@ -106,20 +109,24 @@ of checks to make than for a complicated larger system. % \subsection{Formal definitions of entities used in FMEA} % -\paragraph{Considering a system as a group of Components.} -We can consider the system as a large collection %{\fg} +%\paragraph{Considering a system as a group of Components.} +Using the language developed in the previous chapters +we consider a system for analysis as a collection %{\fg} of components. We can represent this set of components as $G$, and the number of components in it by $ | G | $. %, %(an indexing and sub-scripting notation to identify particular {\fgs} %within an FMMD hierarchy is given in section~\ref{sec:indexsub}). -\paragraph{Defining Components} -We define the set of all components as $\mathcal{C}$. Individual components are denoted as $c$ +%\paragraph{Defining Components} +$G$ is simply a sub-set of all possible components. +We define the set of all components as $\mathcal{C}$ and can state $G \subset \mathcal{C}$.. Individual components are denoted as $c$ with additional indexing when appropriate. \paragraph{Defining a function that returns failure modes given a component.} -The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). +The function $fm$ has a component as its domain and the components failure modes, $fms$, as its range. % (see equation~\ref{eqn:fm}). +Where $\mathcal{F}$ is the set of all failures, +$$ fm: \mathcal{C} \rightarrow \mathcal{F}$$. We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ \paragraph{Indexing components with the group $G$.} @@ -130,14 +137,15 @@ failure mode against all the other components in the system. Comparison Complexity can be represented by a function $CC$, with its domain as $G$, and its range as the number of checks---or reasoning stages---to perform to satisfy a rigorous FMEA inspection. -Where $\mathcal{G}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, +Where $\mathcal{G}$ represents the set of all {\fgs}, and $ \mathbb{Z}^{+} $, $CC$ is defined by, \begin{equation} %$$ - CC:\mathcal{G} \rightarrow \mathbb{N}, + CC:\mathcal{G} \rightarrow \mathbb{Z}^{+}, %$$ \end{equation} - -and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes +% +%and, where n is the number of components in the system/{\fg}, +and $|fm(c_i)|$ is the number of failure modes in component ${c_i}$, is given by \begin{equation} @@ -160,9 +168,14 @@ equation~\ref{eqn:CC} becomes An FMMD hierarchy consists of many {\fgs} which are subsets of $G$. We define the set of all {\fgs} as $\mathcal{FG}$. -We can therefore state $ \forall \in \mathcal{FG} \subset \mathcal{G}$. +Using $FG$ to represent individual {\fgs} we %can therefore +state $$ \forall FG \in \mathcal{FG} | FG \subset \mathcal{G}$$. + +FMMD analysis creates a hierarchy $H$ of {\fgs} where $H \subset \mathcal{FG}$. + We can define individual {\fgs} using $FG$ with an index to identify them and a superscript -to identify the hierarchy level. +to identify the hierarchy level. For instance a {\fg} containing base components only +---at the zeroth level of an FMMD hierarchy---would have the superscript 0, i.e. $FG^{0}$. %$$ %Equation~\ref{eqn:rd} can also be expressed as % @@ -179,13 +192,15 @@ In order to calculate its comparison~complexity we need to apply equation~\ref{e all {\fgs} on each level. We can define an FMMD hierarchy as a set of {\fgs}, $H$. We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), -defined by +defined by, \begin{equation} %$$ g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . %$$ \end{equation} +IN ENGLISH: A helper function $g$ that returns all {\fgs} at a particular hierarchy level in a particular FMMD hierarchy. + Where $L$ represents the number of levels in the FMMD hierarchy, $|g(\xi)|$ represents the number of {\fgs} on the level @@ -198,13 +213,17 @@ we overload the comparison complexity thus: %$$ \end{equation} - -\pagebreak[4] \subsection{Complexity Comparison Examples} - +%\pagebreak[4] The potential divider discussed in section~\ref{subsec:potdiv} has four failure modes and two components and therefore has $CC$ of 4. -$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ +$$CC(potdiv) = \sum_{n=1}^{2} |2| \times (|1|) = 4 $$ +We combine the potential divider with an op-amp which has four failure modes +to form a {\fg} with two components one with four failure modes and the other (the potential divider) with two. +$$CC(invamp) = 2 \times 1 + 4 \times 1 = 6 $$ +To analyse the inverting amplifier with FMMD we required 10 reasoning stages. +Using RFMEA we obtain $ 2 \times (3-1) + 2 \times (3-1) + 4 \times (3-1)$ = 16. +\paragraph{Complexity Comparison for an 81 component system.} %Even considering a $example$ A system, $example$, with just 81 components (with these components having 3 failure modes each) we would have an $CC$ of @@ -346,941 +365,533 @@ $$ \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 %\end{equation} $$ +\subsection{Complexity Comparison applied to previous FMMD Examples} + +All the FMMD examples in chapters \ref{chap5} and \ref{chap6} showed a marked reduction in comparison +complexity compared to the RFMEA worst case figures. +% + +% +A table of complexity comparison vs. RFMEA is presented below. + + % \subsection{Exponential squared to Exponential} % % can I say that ? -\clearpage -\section{Pt100 Analysis: FMMD and Mean Time to Failure (MTTF) statistics} -\label{sec:Pt100} -{ -This section -% shows a practical example of -% one `symptom~abstraction' stage in the FMMD process. -% We take a functional group of base components, -% and using their failure modes, analyse the circuit -% to find failure symptoms. -% These failure symptoms are used to define -% a derived component. + + + +\section{Unitary State Component Failure Mode sets} +\label{sec:unitarystate} +\paragraph{Design Descision/Constraint} +An important factor in defining a set of failure modes is that they +should represent the failure modes as simply and minimally as possible. +It should not be possible, for instance, for +a component to have two or more failure modes active at once. +Were this to be the case, we would have to consider additional combinations of +failure modes within the component. +Having a set of failure modes where $N$ modes could be active simultaneously +would mean having to consider an additional $2^N-1$ failure mode scenarios. +Should a component be analysed and simultaneous failure mode cases exist, +the combinations could be represented by new failure modes, or +the component should be considered from a fresh perspective, +perhaps considering it as several smaller components +within one package. +This property, failure modes being mutually exclusive, is termed `unitary state failure modes' +in this study. +This corresponds to the `mutually exclusive' definition in +probability theory~\cite{probstat}. + + +\begin{definition} +A set of failure modes where only one failure mode +can be active at one time is termed a {\textbf{unitary~state}} failure mode set. +\end{definition} + +Let the set of all possible components be $ \mathcal{C}$ +and let the set of all possible failure modes be $ \mathcal{F}$. +The set of failure modes of a particular component are of interest +here. +What is required is to define a property for +a set of failure modes where only one failure mode can be active at a time; +or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive +with a set $F$. +We can define a set of failure mode sets called $\mathcal{U}$ to represent this +property for a set of failure modes. + +\begin{definition} +We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where +the component failure modes in each of its members are unitary~state. +Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. +\end{definition} + +\section{Component failure modes: Unitary State example} + +An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. + +Electrical resistors can fail by going OPEN or SHORTED. + +For a given resistor R we can apply the +function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. +A resistor cannot fail with the conditions open and short active at the same time, +that would be physically impossible! The conditions +OPEN and SHORT are thus mutually exclusive. +Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. % -demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows -how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms. +% +%Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. +% +The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $, +therefore +$ fm(R) \in \mathcal{U} $. -For this example we look at an industry standard temperature measurement circuit, -the Pt100. -The circuit is described and then analysed using the FMMD methodology. + +We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection +of component failure modes. +We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns +whether a fault mode is active (true) or dormant (false). + +We can say that if any pair of fault modes is active at the same time, then the failure mode set is not +unitary state: +we state this formally -%A derived component, representing this circuit is then presented. + \begin{equation} + \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} + \end{equation} -The Pt100, or platinum wire \ohms{100} sensor is -a widely used industrial temperature sensor that is -slowly replacing the use of thermocouples in many -industrial applications below 600\oc, due to high accuracy\cite{aoe}. +% +% \begin{equation} +% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U +% \end{equation} -This section looks at the most common configuration, the -four wire circuit, and analyses it from an FMEA perspective twice. -Once considering single faults (cardinality constrained powerset of 1) and then again, considering the -possibility of double faults (cardinality constrained powerset of 2). +That is to say that it is impossible that any pair of failure modes can be active at the same time +for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. +Note where there are more than two failure~modes, +by banning any pairs from being active at the same time, +we have banned larger combinations as well. -\ifthenelse {\boolean{pld}} -{ -The section is performed using Propositional Logic -diagrams to assist the reasoning process. -} -{ -} - -This chapter describes taking -the failure modes of the components, analysing the circuit using FMEA -and producing a failure mode model for the circuit as a whole. -Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed -from an FMEA perspective as a component itself, with a set of known failure modes. -} - -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} - % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 - \caption{Pt100 four wire circuit} - \label{fig:Pt100} -\end{figure} +\subsection{Design Rule: Unitary State} -\subsection{General Description of Pt100 four wire circuit} - -The Pt100 four wire circuit uses two wires to supply a small electrical current, -and returns two sense voltages by the other two. -By measuring voltages -from sections of this circuit forming potential dividers, we can determine the -resistance of the platinum wire sensor. The resistance -of this is directly related to temperature, and may be determined by -look-up tables or a suitable polynomial expression. -\begin{figure}[h] - \centering - \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} - % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 - \caption{Pt100 expected voltage ranges} - \label{fig:Pt100vrange} -\end{figure} +All components must have unitary state failure modes to be used with the FMMD methodology and +for base~components this is usually the case. Most simple components fail in one +clearly defined way and generally stay in that state. + +However, where a complex component is used, for instance a microcontroller +with several modules that could all fail simultaneously, a process +of reduction into smaller theoretical components will have to be made. +We can term this `heuristic~de-composition'. +A modern micro-controller will typically have several modules, which are configured to operate on +pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, +PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. +For instance the voltage reading functions which consist +of an ADC multiplexer and ADC can be considered to be components +inside the micro-controller package. +The micro-controller thus becomes a collection of smaller components +that can be analysed separately~\footnote{It is common for the signal paths +in a safety critical product to be traced, and when entering a complex +component like a micro-controller, the process of heuristic de-compostion +is then applied to it.}. -The voltage ranges we expect from this three stage potential divider\footnote{ -two stages are required for validation, a third stage is used to measure the current flowing -through the circuit to obtain accurate temperature readings} -are shown in figure \ref{fig:Pt100vrange}. Note that there is -an expected range for each reading, for a given temperature span. -Note that the low reading goes down as temperature increases, and the higher reading goes up. -For this reason the low reading will be referred to as {\em sense-} -and the higher as {\em sense+}. -\paragraph{Accuracy despite variable resistance in cables} +\paragraph{Reason for Constraint.} Were this constraint to not be applied +each component would not contribute $N$ failure modes to consider but potentially +$2^N$. +% +This would make the job of analysing the failure modes +in a {\fg} impractical due to the sheer size of the task. +%Note that the `unitary state' conditions apply to failure modes within a component. +%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos -For electronic and accuracy reasons, a four wire circuit is preferred -because of resistance in the cables. Resistance from the supply - causes a slight voltage -drop in the supply to the $Pt100$. As no significant current -is carried by the two `sense' lines, the resistance back to the ADC -causes only a negligible voltage drop, and thus the four wire -configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across -the thermistor only and not the voltage across the thermistor and current supply wire resistance.}. +\section{Handling Simultaneous Component Faults} -\paragraph{Calculating Temperature from the sense line voltages} +For some integrity levels of static analysis, there is a need to consider not only single +failure modes in isolation, but cases where more then one failure mode may occur +simultaneously. +% +Note that the `unitary state' conditions apply to failure modes within a component. +This does not preclude the possibility of two or more components failing simultaneously. +% +%The scenarios presented deal with possibility of two or more components failing simultaneously. +% +It is an implied requirement of EN298~\cite{en298} for instance to +consider double simultaneous faults\footnote{Under the conditions +of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already. +However, from the perspective of static failure mode analysis, this amounts +to dealing with double simultaneous failure modes.}. +% +To generalise, we may need to consider $N$ simultaneous +failure modes when analysing a functional group. +% +This involves finding +all combinations of failures modes of size $N$ and less. +%The Powerset concept from Set theory is useful to model this. +% +The power-set, when applied to a set S is the set of all subsets of S, including the empty set +\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there +is no fault active in the functional~group under analysis.} +and S itself. +% +We augment the power-set concept here to deal with counting the number of +combinations of failures to consider, under the conditions of simultaneous failures. +% +In order to consider combinations for the set S where the number of elements in +each subset of S is $N$ or less, a concept of the `cardinality constrained power-set' +is proposed and described in the next section. -The current flowing though the -whole circuit can be measured on the PCB by reading a third -sense voltage from one of the load resistors. Knowing the current flowing -through the circuit -and knowing the voltage drop over the $Pt100$, we can calculate its -resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. -Thus a little loss of supply current due to resistance in the cables -does not impinge on accuracy. -The resistance to temperature conversion is achieved -through the published $Pt100$ tables\cite{eurothermtables}. -The standard voltage divider equations (see figure \ref{fig:vd} and -equation \ref{eqn:vd}) can be used to calculate -expected voltages for failure mode and temperature reading purposes. +%\pagebreak[1] +\section{Cardinality Constrained Power-set } +\label{ccp} -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} - % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 - \caption{Voltage Divider} - \label{fig:vd} -\end{figure} -%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. +A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold +are not included. This threshold is called the cardinality constraint. +To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. +Consider the set $S = \{a,b,c\}$. + +The power-set of S: + +$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$ + + +$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is +less than or equal to 2. + +$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$ + +Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is: + +$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$. + +\paragraph{Calculating the number of elements in a cardinality constrained power-set} + +A $k$ combination is a subset with $k$ elements. +The number of $k$ combinations (each of size $k$) from a set $S$ +with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}. \begin{equation} -\label{eqn:vd} - V_{out} = V_{in}.\frac{Z2}{Z2+Z1} -\end{equation} +C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} . +\label{bico} +\end{equation} -\subsection{Safety case for 4 wire circuit} +To find the number of elements in a cardinality constrained subset S with up to $cc$ elements +in each combination sub-set, +we need to sum the combinations, +%subtracting $cc$ from the final result +%(repeated empty set counts) +from $1$ to $cc$ thus -This sub-section looks at the behaviour of the $Pt100$ four wire circuit -for the effects of component failures. -All components have a set of known `failure modes'. -In other words we know that a given component can fail in several distinct ways. -Studies have been published which list common component types -and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. -Thus for each component, an analysis is made for each of its failure modes, -with respect to its effect on the -circuit. Each one of these scenarios is termed a `test case'. -The resultant circuit behaviour for each of these test cases is noted. -The worst case for this type of -analysis would be a fault that we cannot detect. -Where this occurs a circuit re-design is probably the only sensible course of action. - -\fmodegloss - -\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.} - -\label{fmea} -The Pt100 circuit consists of three resistors, two `current~supply' -wires and two `sensor' wires. -Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, -%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. -%Should wires become disconnected these will have the same effect as -%given resistors going open. -For the purpose of this analyis; -$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, -$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground. - -We can define the terms `High Fault' and `Low Fault' here, with reference to figure -\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone -in the diagram, we consider this a fault. -Should the reading be above its expected range, this is a `High Fault' -and if below a `Low Fault'. - -Table \ref{ptfmea} plays through the scenarios of each of the resistors failing -in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. -The range {0\oc} to {300\oc} will be analysed using potential divider equations to -determine out of range voltage limits in section~\ref{sec:ptbounds}. - -\begin{table}[ht] -\caption{Pt100 FMEA Single Faults} % title of Table -\centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} -\hline \hline - \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ - \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ -% R & wire & res + & res - & description -\hline -\hline - $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline -$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline - \hline -$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline - $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline -\hline -$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ - $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline -\hline -\end{tabular} -\label{ptfmea} -\end{table} - -From table \ref{ptfmea} it can be seen that any component failure in the circuit -should cause a common symptom, that of one or more of the values being `out of range'. -Temperature range calculations and detailed calculations -on the effects of each test case are found in section \ref{Pt100range} -and \ref{Pt100temp}. - -%\paragraph{Consideration of Resistor Tolerance} % -%The separate sense lines ensure the voltage read over the Pt100 thermistor are not -%altered due to having to pass any significant current. -%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. -%One or other of the load resistors (the one we measure current over) should also -%be of this accuracy. +% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ % -%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient -%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to -%a narrow temperature range anyway, being mounted on a PCB. -%\glossary{{PCB}{Printed Circuit Board}} -%To calculate the resistance of the Pt100 element % (and thus derive its temperature), -%having the voltage over it, we now need the current. -%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. -%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). -%We can calculate the current by reading -%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, -%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} -%As these calculations are performed by ohms law, which is linear, the accuracy of the reading -%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to -%take the mean square error of these accuracy figures. - -\paragraph{Range and $Pt100$ Calculations} -\label{Pt100temp} -$Pt100$ resistors are designed to -have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. -A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} -for a given application. -According to the Eurotherm Pt100 -tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} -and \ohms{212.02} respectively. From this the potential divider circuit can be -analysed and the maximum and minimum acceptable voltages determined. -These can be used as bounds results to apply the findings from the -Pt100 FMEA analysis in section \ref{fmea}. - -As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, -the upper and lower readings can be calculated thus: - - -$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ -$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$ -So by defining an acceptable measurement/temperature range, -and ensuring the -values are always within these bounds, we can be confident that none of the -resistors in this circuit has failed. - -To convert these to twelve bit ADC (\adctw) counts: - -$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ -$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$ - - -\begin{table}[ht] -\caption{Pt100 Maximum and Minimum Values} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|c|l|l||} -\hline \hline - \textbf{Temperature} & \textbf{Pt100 resistance} & -\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ -\hline -% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ -% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline - {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ - & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline - {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ - & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline -\hline -\end{tabular} -\label{ptbounds} -\end{table} - -Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that -for any single error (short or opening of any resistor) this bounds check -will detect it. - - - -\paragraph{Consideration of Resistor Tolerance.} -% -\label{sec:ptbounds} -The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not -altered by having to pass any significant current. The current is supplied -by separate wires and the resistance in those are effectively cancelled -out by considering the voltage reading over $R_3$ to be relative. -% -The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. -One or other of the load resistors (the one over which we measure current) should also -be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an -accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. -% -The \ohms{2k2} loading resistors should have a good temperature co-effecient -(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). -% -To calculate the resistance of the Pt100 element % (and thus derive its temperature), -knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. -% -Lets use, for the sake of example, $R_2$ to measure the current. -% -We can calculate the current $I$, by reading -the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, -and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate -the resistance of $R_3$. -% -As Ohms law is linear, the accuracy of the reading -will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to -take the mean square error of these accuracy figures~\cite{probstat}. - - -\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit} - - -\ifthenelse{\boolean{pld}} -{ -\paragraph{Single Fault Modes as PLD} - -The component~failure~modes in table \ref{ptfmea} can be represented as contours -on a PLD diagram. -Each test case, is defined by the contours that enclose -it. The test cases here deal with single faults only -and are thus enclosed by one contour each. -\fmodegloss -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png} - % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 - \caption{Pt100 Component Failure Modes} - \label{fig:Pt100_tc} -\end{figure} -} % \ifthenelse {\boolean{pld}} - -%ating input Fault -This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. -To establish the valid voltage ranges for these, and knowing our -valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate -valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} -for the circuit shown in figure \ref{fig:vd}. - - - - -\paragraph{Proof of Out of Range Values for Failures} -\label{pt110range} -Using the temperature ranges defined above we can compare the voltages -we would get from the resistor failures to prove that they are -`out of range'. There are six test cases and each will be examined in turn. - -\subparagraph{ TC 1 : Voltages $R_1$ SHORT } -With Pt100 at 0\oc -$$ highreading = 5V $$ -Since the highreading or sense+ is directly connected to the 5V rail, -both temperature readings will be 5V.. -$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ -With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V $$ -$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ - -Thus with $R_1$ shorted both readings are outside the -proscribed range in table \ref{ptbounds}. - -\paragraph{ TC 2 : Voltages $R_1$ OPEN } - -In this case the 5V rail is disconnected. All voltages read are 0V, and -therefore both readings are outside the -proscribed range in table \ref{ptbounds}. - - -\paragraph{ TC 3 : Voltages $R_2$ SHORT } - -With Pt100 at 0\oc -$$ lowreading = 0V $$ -Since the lowreading or sense- is directly connected to the 0V rail, -both temperature readings will be 0V. -$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ -With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ - -Thus with $R_2$ shorted both readings are outside the -proscribed range in table \ref{ptbounds}. - -\paragraph{ TC 4 : Voltages $R_2$ OPEN } -Here there is no potential divider operating and both sense lines -will read 5V, outside of the proscribed range. - - -\paragraph{ TC 5 : Voltages $R_3$ SHORT } - -Here the potential divider is simply between -the two 2k2 load resistors. Thus it will read a nominal; -2.5V. - -Assuming the load resistors are -precision components, and then taking an absolute worst case of 1\% either way. - -$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ - -$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ - -These readings both lie outside the proscribed range. -Also the sense+ and sense- readings would have the same value. - -\paragraph{ TC 6 : Voltages $R_3$ OPEN } - -Here the potential divider is broken. The sense- will read 0V and the sense+ will -read 5V. Both readings are outside the proscribed range. - -\subsection{Summary of Analysis} - -All six test cases have been analysed and the results agree with the hypothesis -put in table~\ref{ptfmea}. The PLD diagram, can now be used to collect the -symptoms. In this case there is a common and easily detected symptom for all these single -resistor faults : Voltage out of range. - -A spider can be drawn on the PLD diagram to this effect. - -In practical use, by defining an acceptable measurement/temperature range, -and ensuring the -values are always within these bounds, we can be confident that none of the -resistors in this circuit has failed. - -\ifthenelse{\boolean{pld}} -{ -\begin{figure}[h] - \centering - \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png} - % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 - \caption{Pt100 Component Failure Modes} - \label{fig:Pt100_tc_sp} -\end{figure} -} - - -\subsection{Derived Component : The Pt100 Circuit} -The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, -{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a -fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$ -has been developed for safety critical temperature measurement. -% -\ifthenelse{\boolean{pld}} -{ -It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}. - -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png} - % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 - \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis} - \label{fig:Pt100_singlef} -\end{figure} -} - -%From the single faults (cardinality constrained powerset of 1) analysis, we can now create -%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \} -%as its single failure mode. - - -%Interestingly we can calculate the failure statistics for this circuit now. -%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ??? -%\clearpage -\subsection{Mean Time to Failure} - -Now that we have a model for the failure mode behaviour of the Pt100 circuit -we can look at the statistics associated with each of the failure modes. - -The DOD electronic reliability of components -document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating -the -%$\frac{failures}{{10}^6}$ -${failures}/{{10}^6}$ % looks better -in hours for a wide range of generic components -\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F -can give conservative reliability figures when applied to -modern components}. -% -Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor -failure statistics, we calculate the reliability of this circuit. - - -\paragraph{Resistor FIT Calculations} - -The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor -is reproduced in equation \ref{resistorfit}. The meanings -and values assigned to its co-efficients are described in table \ref{tab:resistor}. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} - - -\fmodegloss \begin{equation} -% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E -resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E - \label{resistorfit} -\end{equation} + |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc + \label{eqn:ccps} +\end{equation} -\begin{table}[ht] -\caption{Fixed film resistor Failure in time assessment} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|l||} -\hline \hline - \em{Parameter} & \em{Value} & \em{Comments} \\ - & & \\ \hline \hline - ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline - %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline - ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline - ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline - ${\pi}_E$ & 1.0 & benign ground environment\\ \hline -\hline \hline -\end{tabular} -\label{tab:resistor} -\end{table} -Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} -give the following failures in ${10}^6$ hours: +\subsection{Actual Number of combinations to check with Unitary State Fault mode sets} + +If all of the fault modes in $S$ were independent, +the cardinality constrained power-set +calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. +Because sets of failure modes in FMMD analysis are constrained to be unitary state, +the actual number of test cases to check will usually +be less than this. +This is because combinations of faults within a components failure mode set +are impossible under the conditions of unitary state failure mode. +To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' +for each component in the functional group under analysis. +Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. +For example, say +the cardinality constraint was 3, we would need to subtract both +$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. + +\subsubsection{Example: Two Component functional group cardinality Constraint of 2} + +For example: suppose we have a simple functional group with two components R and T, of which +$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$ + +This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set +of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ + +For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), +applying equation \ref{eqn:ccps} gives :- + +$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$ + +This is composed of ${5 \choose 1}$ +five single fault modes, and ${5 \choose 2}$ ten double fault modes. +However we know that the faults are mutually exclusive within a component. +We must then subtract the number of `internal' component fault combinations +for each component in the functional~group. +For component R there is only one internal component fault that cannot exist +$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has + three fault modes ${3 \choose 2} = 3$. +Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. +The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified +by listing all the required combinations: + + + +$$ \mathcal{P}_{2}(fm(FG)) = \{ + \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} + \} +$$ + +and whose cardinality is 11. % by inspection +%$$ +%| +%\{ +% \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} +%\} +%| = 11 +%$$ + + +\pagebreak[1] +\subsubsection{Establishing Formulae for unitary state failure mode +cardinality calculation} + +The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for +unitary state failure modes. +%This is written as a general formula in equation \ref{eqn:correctedccps}. + +%\indent{ +%To define terms : +%\begin{itemize} +%\item +Let $C$ be a set of components (indexed by $j \in J$) +that are members of the functional group $FG$ +i.e. $ \forall j \in J | C_j \in FG $. + +%\item +Let $|fm({C}_{j})|$ +indicate the number of mutually exclusive fault modes of component $C_j$. +%\item + +Let $fm(FG)$ be the collection of all failure modes +from all the components in the functional group. +%\item + +Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that +components $C_j$ are in +`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then +%\end{itemize} +%} \begin{equation} - 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} - \label{eqn:resistor} -\end{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} + - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} . + \label{eqn:correctedccps} +\end{equation} -While MIL-HDBK-217F gives MTTF for a wide range of common components, -it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. -%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. -% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 -This example -compromises and uses a 90:10 ratio, for resistor failure. -Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED -in the other 10\%. -A standard fixed film resistor, for use in a benign environment, non military spec at -temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) -hours of operation (see equation \ref{eqn:resistor}). -This figure is referred to as a FIT\footnote{FIT values are measured as the number of -failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the -FIT number the more reliable the fault~mode} Failure in time. - -The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in -equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. - -\begin{equation} -% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E -resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E - \label{thermistorfit} -\end{equation} - -\begin{table}[ht] -\caption{Bead type Thermistor Failure in time assessment} % title of Table -\centering % used for centering table -\begin{tabular}{||c|c|l||} -\hline \hline - \em{Parameter} & \em{Value} & \em{Comments} \\ - & & \\ \hline \hline - ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline - %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline - %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline - ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline - ${\pi}_E$ & 1.0 & benign ground environment\\ \hline - -\hline \hline -\end{tabular} -\label{tab:thermistor} -\end{table} +Expanding the combination in equation \ref{eqn:correctedccps} \begin{equation} - 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} - \label{eqn:thermistor} -\end{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } . + \label{eqn:correctedccps2} +\end{equation} +\paragraph{Use of Equation \ref{eqn:correctedccps2} } +Equation \ref{eqn:correctedccps2} is useful for an automated tool that +would verify that a single or double simultaneous failures model has complete failure mode coverage. +By knowing how many test cases should be covered, and checking the cardinality +associated with the test cases, complete coverage would be verified. -Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0 +%\paragraph{Multiple simultaneous failure modes disallowed combinations} +%The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs +%of failure modes within components, but also ensuring that combinations across components +%do not involve any pairs of failure modes within the same component. +%%%%- NOT SURE ABOUT THAT !!!!! +%%%- A recursive algorithm and proof is described in appendix \ref{chap:vennccps}. + +%%\paragraph{Practicality} +%%Functional Group may consist, typically of four or five components, which typically +%%have two or three failure modes each. Taking a worst case of mutiplying these +%%by a factor of five (the number of failure modes and components) would give +%%$25 \times 15 = 375$ +%% +%% +%% +%%\begin{verbatim} +%% +%%# define a factorial function +%%# gives 1 for negative values as well +%%define f(x) { +%% if (x>1) { +%% return (x * f (x-1)) +%% } +%% return (1) +%% +%%} +%%define u1(c,x) { +%% return f(c*x)/(f(1)*f(c*x-1)) +%%} +%%define u2(c,x) { +%% return f(c*x)/(f(2)*f(c*x-2)) +%%} +%% +%%define uc(c,x) { +%% return c * f(x)/(f(2)*f(x-2)) +%%} +%% +%%# where c is number of components, and x is number of failure modes +%%# define function u to calculate combinations to check for double sim failure modes +%%define u(c,x) { +%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2)) +%%} +%% +%% +%%\end{verbatim} +%% -Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), -showing the FIT values for all faults considered. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} +\pagebreak[1] +\section{Component Failure Modes and Statistical Sample Space} +%\paragraph{NOT WRITTEN YET PLEASE IGNORE} +A sample space is defined as the set of all possible outcomes. +For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct') +operating state and all its failure modes. +We can consider failure modes as events in the sample space. +% +When dealing with failure modes, we are not interested in +the state where the component is working correctly or `OK' (i.e. operating with no error). +% +We are interested only in ways in which it can fail. +By definition, while all components in a system are `working~correctly', +that system will not exhibit faulty behaviour. +% +We can say that the OK state corresponds to the empty set. +% +Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is +%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ +$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$ +The failure mode set $F$ for a given component or derived~component $C$ +is therefore +$ fm(C) = \Omega(C) \backslash \{OK\} $ +(or expressed as +$ \Omega(C) = fm(C) \cup \{OK\} $). +The $OK$ statistical case is the (usually) largest in probability, and is therefore +of interest when analysing systems from a statistical perspective. +This is of interest for the application of conditional probability calculations +such as Bayes theorem~\cite{probstat}. +The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian +statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}. +That is to say, a base component or a sub-system failure +has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds +to the probability that a given part failure mode will cause a given system level failure/event.}. +Another way to view this is to consider the failure modes of a +component, with the $OK$ state, as a universal set $\Omega$, where +all sets within $\Omega$ are partitioned. +Figure \ref{fig:partitioncfm} shows a partitioned set representing +component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets +where the OK or empty set condition is included, obey unitary state conditions. +Because the subsets of $\Omega$ are partitioned, we can say these +failure modes are unitary state. -\begin{table}[h+] -\caption{Pt100 FMEA Single // Fault Statistics} % title of Table -\centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} -\hline \hline - \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ - \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ -% R & wire & res + & res - & description -\hline -\hline -TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline -TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline - \hline -TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline -TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline -\hline -TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ -TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline -\hline -\end{tabular} -\label{tab:stat_single} -\end{table} - -The FIT for the circuit as a whole is the sum of MTTF values for all the -test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of -about 360 years per circuit. - -A probabilistic tree can now be drawn, with a FIT value for the Pt100 -circuit and FIT values for all the component fault modes from which it was calculated. -We can see from this that the most likely fault is the thermistor going OPEN. -This circuit is around 10 times more likely to fail in this way than in any other. -Were we to need a more reliable temperature sensor, this would probably -be the fault~mode we would scrutinise first. - - -\begin{figure}[h+] +\begin{figure}[h] \centering - \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} - % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 - \caption{Probablistic Fault Tree : Pt100 Single Faults} - \label{fig:stat_single} + \includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png} + % partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 + \caption{Base Component Failure Modes with OK mode as partitioned set} + \label{fig:partitioncfm} \end{figure} +\section{Components with Independent failure modes} -The Pt100 analysis presents a simple result for single faults. -The next analysis phase looks at how the circuit will behave under double simultaneous failure -conditions. +Suppose that we have a component that can fail simultaneously +with more than one failure mode. +This would make it seemingly impossible to model as `unitary state'. - - -\section{Double failure analysis} - -CITE PRICE MULTIPLE FAILURE PAPER. - -%\clearpage -\section{ Pt100 Double Simultaneous Fault Analysis} -\label{sec:Pt100d} -In this section we examine the failure mode behaviour for all single -faults and double simultaneous faults. -This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of -the failure modes in the functional group. -All the single faults have already been proved in the last section. -For the next set of test cases, let us again hypothesise -the failure modes, and then examine each one in detail with -potential divider equation proofs. - -Table \ref{tab:ptfmea2} lists all the combinations of double -faults and then hypothesises how the functional~group will react -under those conditions. - -\begin{table}[ht] -\caption{Pt100 FMEA Double Faults} % title of Table -\centering % used for centering table -\begin{tabular}{||l|l|c|c|l|l||} -\hline \hline - \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ - \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ -% R & wire & res + & res - & description -\hline -\hline - TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline - TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline -\hline - TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline - TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline -\hline - - TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline -TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline -\hline - TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline -TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline - -\hline - TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline -TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline -TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline -TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline -\hline -\end{tabular} -\label{tab:ptfmea2} -\end{table} - -\subsection{Verifying complete coverage for a cardinality constrained powerset of 2} - -\fmodegloss - - -It is important to check that we have covered all possible double fault combinations. -We can use the equation \ref{eqn:correctedccps2} +\paragraph{De-composition of complex component.} +There are two ways in which we can deal with this. +We could consider the component a composite +of two simpler components, and model their interaction to +create a derived component. \ifthenelse {\boolean{paper}} { -from the definitions paper -\ref{pap:compdef} -, -reproduced below to verify this. - -\indent{ - where: - \begin{itemize} - \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. - \item The indexed set $C_j$ represents all components in set $SU$. - \item The function $FM$ takes a component as an argument and returns its set of failure modes. - \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. - \end{itemize} -} -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } - \label{eqn:correctedccps2} -\end{equation} - +This technique is outside the scope of this paper. } { -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } - %\label{eqn:correctedccps2} -\end{equation} +%This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled. } +\begin{figure}[h] + \centering + \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png} + % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 + \caption{Component with three failure modes as partitioned sets} + \label{fig:combco} +\end{figure} -$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. +\paragraph{Combinations become new failure modes.} +Alternatively, we could consider the combinations +of the failure modes as new failure modes. +We can model this using an Euler diagram representation of +an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in +the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}. -% -% Factorial of zero is one ! You can only arrange an empty set one way ! +For the purpose of example let us consider $\{ B_2, B_3 \}$ +to be intrinsically mutually exclusive, but $B_1$ to be independent. +This means the we have the possibility of two new combinations +$ B_1 \cap B_2$ and $ B_1 \cap B_3$. +We can represent these +as shaded sections of figure \ref{fig:combco2}. -Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. -%is always 2 for this circuit, as all the components are resistors and have two failure modes. - -\begin{equation} - |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} -- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } - %\label{eqn:correctedccps2} -\end{equation} - -$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check -under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). - -Expanding the sumations - - -$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ - -$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ - -As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double) -we can be confident that we have looked at all `double combinations' of the possible faults -in the Pt100 circuit. The next task is to investigate -these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. - - -%\paragraph{Proof of Double Faults Hypothesis} - -\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } -\label{Pt100:bothfloating} -This double fault mode produces an interesting symptom. -Both sense lines are floating. -We cannot know what the {\adctw} readings on them will be. -% -In practise these would probably float to low values -but for the purpose of a safety critical analysis, -all we can say is that the values are `floating' and `unknown'. -This is an interesting case, because it is, at this stage an undetectable---or unobservable--- -fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}. -%that must be handled. - - -\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } - -This cuts the supply from Vcc. Both sense lines will be at zero. -Thus both values will be out of range. - - -\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } - -Sense- will be floating. -Sense+ will be tied to Vcc and will thus be out of range. - -\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } - -This shorts ground to -both of the sense lines. -Both values will be out of range. - -\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } - -This shorts both sense lines to Vcc. -Both values will be out of range. - - -\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } - -This shorts the sense+ to Vcc and the sense- to ground. -Both values will be out of range. - - -\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } - -This shorts the sense+ to Vcc and the sense- to ground. -Both values will be out of range. - -\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. - -\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } - -This shorts the sense+ to Vcc and causes sense- to float. -The sense+ value will be out of range. - - -\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. +\begin{figure}[h] + \centering + \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png} + % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 + \caption{Component with three failure modes where $B_1$ is independent} + \label{fig:combco2} +\end{figure} - - -\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } - -This shorts the sense- to Ground. -The sense- value will be out of range. - - -\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } - -This shorts the sense+ and sense- to Vcc. -Both values will be out of range. - -%\clearpage - -\ifthenelse{\boolean{pld}} -{ -\subsection{Double Faults Represented on a PLD Diagram} - -We can show the test cases on a diagram with the double faults residing on regions -corresponding to overlapping contours see figure \ref{fig:plddouble}. -Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. +We can calculate the probabilities for the shaded areas +assuming the failure modes are statistically independent +by multiplying the probabilities of the members of the intersection. +We can use the function $P$ to return the probability of a +failure mode, or combination thereof. +Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$. \begin{figure}[h] \centering - \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} - % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 - \caption{Pt100 Double Simultaneous Faults} - \label{fig:plddouble} + \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png} + % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 + \caption{Component with two new failure modes} + \label{fig:combco3} \end{figure} -We use equation \ref{eqn:correctedccps2} to verify complete coverage for -a given cardinality constraint is not visually obvious. -% -From the diagram it is easy to verify -the number of failure modes considered for each test case, but -not that all for a given cardinality constraint have been included. -} -{ -} -\paragraph{Symptom Extraction} +We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}). +Because of the combinations, the probabilities for the failure modes +$B_1, B_2$ and $B_3$ will now reduce. +We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e. +$B_1^\prime$ represents the altered value for $B_1$. +Thus +$$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$ +$$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$ +$$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$ -We can now examine the results of the test case analysis and apply symptom abstraction. -In all the test case results we have at least one out of range value, except for -$TC\_7$ -which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, -into the symptom $OUT\_OF\_RANGE$. -As a symptom $TC\_7$ could be described as $FLOATING$. +We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}. +We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$. -\ifthenelse{\boolean{pld}} -{ -We can thus draw a PLD diagram representing the -failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures, -in figure \ref{fig:Pt100_doublef}. - -\begin{figure}[h] - \centering - \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} - % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 - \caption{Pt100 Double Simultaneous Faults} - \label{fig:plddoublesymptom} -\end{figure} -} %% \ifthenelse {\boolean{pld}} -{ -} - -%\clearpage -\subsection{Derived Component : The Pt100 Circuit} -The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, -{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. - -\ifthenelse{\boolean{pld}} -{ -It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}. -\begin{figure}[h] - \centering - \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png} - % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 - \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis} - \label{fig:Pt100_doublef} -\end{figure} -} % \ifthenelse {\boolean{pld}} -{ -} - - -\subsection{Statistics} - -%% -%% Need to talk abou the `detection time' -%% or `Safety Relevant Validation Time' ref can book -%% EN61508 gives detection calculations to reduce -%% statistical impacts of failures. -%% - -If we consider the failure modes to be statistically independent we can calculate -the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition -requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF -together and find an MTTF for both failing. The FIT value of 12.42 corresponds to -$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. -This is an astronomically small MTTF, and so small that it would -probably fall below a threshold to sensibly consider. -However, it is very interesting from a failure analysis perspective, -because here we have found a fault that we cannot detect at this -level. This means that should we wish to cope with -this fault, we need to devise a way of detecting this -condition in higher levels of the system. -\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} @@ -1301,19 +912,19 @@ functional groups in the system we are examining. \pagebreak[3] \subsubsection{Example de-coupling capacitors in logic circuits} -A good example of this, are de-coupling capacitors, often used +A good example of a component failure that can +induce side effects in other components, are de-coupling capacitors, often used over the power supply pins of all chips in a digital logic circuit. Were any of these capacitors to fail $SHORT$, they could bring down the supply voltage to the other logic chips. - - +% To a power-supply, shorted capacitors on the supply rails are a potential source of the symptom, $SUPPLY\_SHORT$. In a logic chip/digital circuit {\fg} open capacitors are a potential source of symptoms caused by the failure mode $INTERFERENCE$. So we have a `symptom' of the power-supply, and a `failure~mode' of - the logic chip to consider. - +the logic chip to consider. +% A possible solution to this is to include the de-coupling capacitors in the power-supply {\fg}. % decision, could they be included in both places ???? @@ -1324,13 +935,14 @@ Because the capacitor has two potential failure modes (EN298), this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to a power-supply module (but there might be additional noise on its output rails). But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. - +% Some logic chips are more susceptible to $INTERFERENCE$ than others. A logic chip with de-coupling capacitor failing, may operate correctly but interfere with other chips in the circuit. - -There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}.% poss split infinitive - +% +There is no reason why the de-coupling capacitors +could not be included {\em in the {\fg} they would intuitively be associated with as well}.% poss split infinitive +% This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. This allows functional groups to share components where necessary. This does not break the modularity of the FMMD technique, because, as {\irl}, @@ -1341,3 +953,5 @@ the component causing the side effect into the wrong {\fg}, or only one germane \section{Evaluation} + +TO DO \ No newline at end of file diff --git a/submission_thesis/CH7_Conclusion/copy.tex b/submission_thesis/CH7_Conclusion/copy.tex index 8e931a8..1abbcd8 100644 --- a/submission_thesis/CH7_Conclusion/copy.tex +++ b/submission_thesis/CH7_Conclusion/copy.tex @@ -84,3 +84,214 @@ are added to UML diagram in figure \ref{fig:cfg} are represented in figure \ref \caption{FMMD UML diagram, incorporating Environmental, Operational State and Inhibit gates} \label{fig:cfg2} \end{figure} + + + + +%% 31JAN2012 + +\section{Statistics: From base component failure modes to System level events/failures.} + +Knowing the statistical likelihood of a component failing can give a good indication +of the reliability of a system, or in the case of dangerous failures, the Safety Integrity Level +of a system. +EN61508~\cite{en61508} requires that statistical data is available and used for all component failure modes +analysed in a system assigned a SIL level. +FMMD, as a bottom up methodology can use component failure mode statistical data, and incorporate it +into its hierarchical model. +By way of example the Pt100 example from section~\{sec:pt100} has been used to demonstrate this. + +\subsection{Pt100 Example: Single Failures and statistical data}. %Mean Time to Failure} + +Now that we have a model for the failure mode behaviour of the Pt100 circuit +we can look at the statistics associated with each of the failure modes. + +The DOD electronic reliability of components +document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating +the +%$\frac{failures}{{10}^6}$ +${failures}/{{10}^6}$ % looks better +in hours for a wide range of generic components +\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F +can give conservative reliability figures when applied to +modern components}. +% +Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor +failure statistics, we calculate the reliability of this circuit. + + +\paragraph{Resistor FIT Calculations} + +The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor +is reproduced in equation \ref{resistorfit}. The meanings +and values assigned to its co-efficients are described in table \ref{tab:resistor}. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + +\fmodegloss + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E + \label{resistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Fixed film resistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:resistor} +\end{table} + +Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} +give the following failures in ${10}^6$ hours: + +\begin{equation} + 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} + \label{eqn:resistor} +\end{equation} + +While MIL-HDBK-217F gives MTTF for a wide range of common components, +it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. +%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. +% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 +This example +compromises and uses a 90:10 ratio, for resistor failure. +Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED +in the other 10\%. +A standard fixed film resistor, for use in a benign environment, non military spec at +temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) +hours of operation (see equation \ref{eqn:resistor}). +This figure is referred to as a FIT\footnote{FIT values are measured as the number of +failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the +FIT number the more reliable the fault~mode} Failure in time. + +The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in +equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E + \label{thermistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Bead type Thermistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:thermistor} +\end{table} + + +\begin{equation} + 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} + \label{eqn:thermistor} +\end{equation} + + +Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0 + +Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), +showing the FIT values for all faults considered. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\begin{table}[h+] +\caption{Pt100 FMEA Single // Fault Statistics} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ +% R & wire & res + & res - & description +\hline +\hline +TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline +TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline + \hline +TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline +TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline +\hline +TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ +TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline +\hline +\end{tabular} +\label{tab:stat_single} +\end{table} + +The FIT for the circuit as a whole is the sum of MTTF values for all the +test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of +about 360 years per circuit. + +A probabilistic tree can now be drawn, with a FIT value for the Pt100 +circuit and FIT values for all the component fault modes from which it was calculated. +We can see from this that the most likely fault is the thermistor going OPEN. +This circuit is around 10 times more likely to fail in this way than in any other. +Were we to need a more reliable temperature sensor, this would probably +be the fault~mode we would scrutinise first. + + +\begin{figure}[h+] + \centering + \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} + % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 + \caption{Probablistic Fault Tree : Pt100 Single Faults} + \label{fig:stat_single} +\end{figure} + + +The Pt100 analysis presents a simple result for single faults. +The next analysis phase looks at how the circuit will behave under double simultaneous failure +conditions. + + +\subsection{Pt100 Example: Double Failures and statistical data} +Because we can perform double simultaneous failure analysis under FMMD +we can also apply failure rate statistics to double failures. +% +%% +%% Need to talk abou the `detection time' +%% or `Safety Relevant Validation Time' ref can book +%% EN61508 gives detection calculations to reduce +%% statistical impacts of failures. +%% +% +If we consider the failure modes to be statistically independent we can calculate +the FIT values for all the combinations failures in table~\label{tab:ptfmea2}. +The failure mode of concern, the undetectable {\textbf{FLOATING}} condition +requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF +together and find an MTTF for both failing. The FIT value of 12.42 corresponds to +$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. +This is an astronomically small MTTF, and so small that it would +probably fall below a threshold to sensibly consider. +However, it is very interesting from a failure analysis perspective, +because here we have found a fault that we cannot detect at this +level. This means that should we wish to cope with +this fault, we need to devise a way of detecting this +condition in higher levels of the system. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} + diff --git a/submission_thesis/appendixes/formal.tex b/submission_thesis/appendixes/formal.tex index 83436ec..b095b52 100644 --- a/submission_thesis/appendixes/formal.tex +++ b/submission_thesis/appendixes/formal.tex @@ -1,609 +1,96 @@ -%%%% FORMAL DEFINITIONS %%%% THESE MIGHT BE MOVED TO AN APPENDIX - - - -\chapter{Formal Definitions} -\label{sec:formalfmmd} -\section{An algebraic notation for identifying FMMD enitities} -Consider all `components' to exist as -members of a set $\mathcal{C}$. -% -Each component $c$ has an associated set of failure modes. -We can define a function $fm$ that returns a -set of failure modes $F$, for the component $c$. - -Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$. - -We now define the function $fm$ -as -\begin{equation} -\label{eqn:fm} -fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} -This is defined by, where $c$ is a component and $F$ is a set of failure modes, -$ fm ( c ) = F. $ - -We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection -of components. -%We thus define $FG$ as a set of chosen components defining -%a {\fg}; all functional groups -We can state that -{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ - -We can overload the $fm$ function for a functional group {\FG} -where it will return all the failure modes of the components in {\FG} - - -given by - -$$ fm ({\FG}) = F. $$ - -Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, - -\begin{equation} -fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} -\section{Relationships between functional~groups and failure modes} - -Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$ -is the power-set of $\mathcal{F}$. - -In order to analyse failure mode effects we need to be able to determine the -failure modes of a component. We define a function $fm$ to perform this (see equation~\ref{eqn:fmset}). -\label{fmdef} - -\begin{equation} -fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F} - \label{eqn:fmset} -\end{equation} - -%% -% Above def gives below anyway -% -%The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes. -% -%\begin{equation} -% fm ( C ) = F -% \label{eqn:fminstance} -%\end{equation} - -\paragraph{Finding all failure modes within the functional group.} - -For FMMD failure mode analysis %we need to consider the failure modes -from all the components in a functional~group. -In a functional group we have a collection of Components -which have associated failure mode sets. -we need to collect failure mode sets from the components and place them all -%modes -into a single set; this can be termed flattening the set of sets. -%%Consider the components in a functional group to be $C_1...C_N$. -The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components -in the functional~group and taking the union of them thus: - -%%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$ -$$ FSF = \bigcup_{c \in FG} fm(c) \; .$$ - -We can actually overload the notation for the function $fm$ % FM -and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) -in equation \ref{eqn:fmoverload}. - -\begin{equation} -fm : \mathcal{FG} \rightarrow \mathcal{F} -\label{eqn:fmoverload} -\end{equation} - - -\section{Unitary State Component Failure Mode sets} -\label{sec:unitarystate} -\paragraph{Design Descision/Constraint} -An important factor in defining a set of failure modes is that they -should represent the failure modes as simply and minimally as possible. -It should not be possible, for instance, for -a component to have two or more failure modes active at once. -Were this to be the case, we would have to consider additional combinations of -failure modes within the component. -Having a set of failure modes where $N$ modes could be active simultaneously -would mean having to consider an additional $2^N-1$ failure mode scenarios. -Should a component be analysed and simultaneous failure mode cases exist, -the combinations could be represented by new failure modes, or -the component should be considered from a fresh perspective, -perhaps considering it as several smaller components -within one package. -This property, failure modes being mutually exclusive, is termed `unitary state failure modes' -in this study. -This corresponds to the `mutually exclusive' definition in -probability theory~\cite{probstat}. - - -\begin{definition} -A set of failure modes where only one failure mode -can be active at one time is termed a {\textbf{unitary~state}} failure mode set. -\end{definition} - -Let the set of all possible components be $ \mathcal{C}$ -and let the set of all possible failure modes be $ \mathcal{F}$. -The set of failure modes of a particular component are of interest -here. -What is required is to define a property for -a set of failure modes where only one failure mode can be active at a time; -or borrowing from the terms of statistics, the failure mode being an event that is mutually exclusive -with a set $F$. -We can define a set of failure mode sets called $\mathcal{U}$ to represent this -property for a set of failure modes. - -\begin{definition} -We can define a set $\mathcal{U}$ which is a set of sets of failure modes, where -the component failure modes in each of its members are unitary~state. -Thus if the failure modes of a component $F$ are unitary~state, we can say $F \in \mathcal{U}$ is true. -\end{definition} - -\section{Component failure modes: Unitary State example} - -An example of a component with an obvious set of ``unitary~state'' failure modes is the electrical resistor. - -Electrical resistors can fail by going OPEN or SHORTED. - -For a given resistor R we can apply the -function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. -A resistor cannot fail with the conditions open and short active at the same time, -that would be physically impossible! The conditions -OPEN and SHORT are thus mutually exclusive. -Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. -% -% -%Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. +% %%%% FORMAL DEFINITIONS %%%% THESE MIGHT BE MOVED TO AN APPENDIX % -The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $, -therefore -$ fm(R) \in \mathcal{U} $. - - - -We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection -of component failure modes. -We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns -whether a fault mode is active (true) or dormant (false). - -We can say that if any pair of fault modes is active at the same time, then the failure mode set is not -unitary state: -we state this formally - - - \begin{equation} - \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} - \end{equation} - - +% +% +% \chapter{Formal Definitions} +% \label{sec:formalfmmd} +% \section{An algebraic notation for identifying FMMD enitities} +% Consider all `components' to exist as +% members of a set $\mathcal{C}$. +% % +% Each component $c$ has an associated set of failure modes. +% We can define a function $fm$ that returns a +% set of failure modes $F$, for the component $c$. +% +% Let the set of all possible components be $\mathcal{C}$ +% and let the set of all possible failure modes be $\mathcal{F}$. +% +% We now define the function $fm$ +% as +% \begin{equation} +% \label{eqn:fm} +% fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. +% \end{equation} +% This is defined by, where $c$ is a component and $F$ is a set of failure modes, +% $ fm ( c ) = F. $ +% +% We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection +% of components. +% %We thus define $FG$ as a set of chosen components defining +% %a {\fg}; all functional groups +% We can state that +% {\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ +% +% We can overload the $fm$ function for a functional group {\FG} +% where it will return all the failure modes of the components in {\FG} +% +% +% given by +% +% $$ fm ({\FG}) = F. $$ +% +% Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, % % \begin{equation} -% c1 \cap c2 \neq \emptyset | c1 \neq c2 \wedge c1,c2 \in C \wedge C \not\in U +% fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. +% \end{equation} +% \section{Relationships between functional~groups and failure modes} +% +% Let the set of all possible components be $\mathcal{C}$ +% and let the set of all possible failure modes be $\mathcal{F}$, and $\mathcal{PF}$ +% is the power-set of $\mathcal{F}$. +% +% In order to analyse failure mode effects we need to be able to determine the +% failure modes of a component. We define a function $fm$ to perform this (see equation~\ref{eqn:fmset}). +% \label{fmdef} +% +% \begin{equation} +% fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F} +% \label{eqn:fmset} +% \end{equation} +% +% %% +% % Above def gives below anyway +% % +% %The is defined by equation \ref{eqn:fminstance}, where C is a component and F is a set of failure modes. +% % +% %\begin{equation} +% % fm ( C ) = F +% % \label{eqn:fminstance} +% %\end{equation} +% +% \paragraph{Finding all failure modes within the functional group.} +% +% For FMMD failure mode analysis %we need to consider the failure modes +% from all the components in a functional~group. +% In a functional group we have a collection of Components +% which have associated failure mode sets. +% we need to collect failure mode sets from the components and place them all +% %modes +% into a single set; this can be termed flattening the set of sets. +% %%Consider the components in a functional group to be $C_1...C_N$. +% The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components +% in the functional~group and taking the union of them thus: +% +% %%$$ FSF = \bigcup_{j=1}^{N} fm(C_j) $$ +% $$ FSF = \bigcup_{c \in FG} fm(c) \; .$$ +% +% We can actually overload the notation for the function $fm$ % FM +% and define it for the set components within a functional group $\mathcal{FG}$ (i.e. where $\mathcal{FG} \subset \mathcal{C} $) +% in equation \ref{eqn:fmoverload}. +% +% \begin{equation} +% fm : \mathcal{FG} \rightarrow \mathcal{F} +% \label{eqn:fmoverload} % \end{equation} -That is to say that it is impossible that any pair of failure modes can be active at the same time -for the failure mode set $F$ to exist in the family of sets $\mathcal{U}$. -Note where there are more than two failure~modes, -by banning any pairs from being active at the same time, -we have banned larger combinations as well. - -\subsection{Design Rule: Unitary State} - - - - -All components must have unitary state failure modes to be used with the FMMD methodology and -for base~components this is usually the case. Most simple components fail in one -clearly defined way and generally stay in that state. - -However, where a complex component is used, for instance a microcontroller -with several modules that could all fail simultaneously, a process -of reduction into smaller theoretical components will have to be made. -We can term this `heuristic~de-composition'. -A modern micro-controller will typically have several modules, which are configured to operate on -pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, -PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. -For instance the voltage reading functions which consist -of an ADC multiplexer and ADC can be considered to be components -inside the micro-controller package. -The micro-controller thus becomes a collection of smaller components -that can be analysed separately~\footnote{It is common for the signal paths -in a safety critical product to be traced, and when entering a complex -component like a micro-controller, the process of heuristic de-compostion -is then applied to it.}. - - - -\paragraph{Reason for Constraint.} Were this constraint to not be applied -each component would not contribute $N$ failure modes to consider but potentially -$2^N$. -% -This would make the job of analysing the failure modes -in a {\fg} impractical due to the sheer size of the task. -%Note that the `unitary state' conditions apply to failure modes within a component. -%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos - -\section{Handling Simultaneous Component Faults} - -For some integrity levels of static analysis, there is a need to consider not only single -failure modes in isolation, but cases where more then one failure mode may occur -simultaneously. -% -Note that the `unitary state' conditions apply to failure modes within a component. -This does not preclude the possibility of two or more components failing simultaneously. -% -%The scenarios presented deal with possibility of two or more components failing simultaneously. -% -It is an implied requirement of EN298~\cite{en298} for instance to -consider double simultaneous faults\footnote{Under the conditions -of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already. -However, from the perspective of static failure mode analysis, this amounts -to dealing with double simultaneous failure modes.}. -% -To generalise, we may need to consider $N$ simultaneous -failure modes when analysing a functional group. -% -This involves finding -all combinations of failures modes of size $N$ and less. -%The Powerset concept from Set theory is useful to model this. -% -The power-set, when applied to a set S is the set of all subsets of S, including the empty set -\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there -is no fault active in the functional~group under analysis.} -and S itself. -% -We augment the power-set concept here to deal with counting the number of -combinations of failures to consider, under the conditions of simultaneous failures. -% -In order to consider combinations for the set S where the number of elements in -each subset of S is $N$ or less, a concept of the `cardinality constrained power-set' -is proposed and described in the next section. - -%\pagebreak[1] -\section{Cardinality Constrained Power-set } -\label{ccp} - -A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold -are not included. This threshold is called the cardinality constraint. -To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. -Consider the set $S = \{a,b,c\}$. - -The power-set of S: - -$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$ - - -$\mathcal{P}_{\le 2} S $ means all non-empty subsets of S where the cardinality of the subsets is -less than or equal to 2. - -$$ \mathcal{P}_{\le 2} S = \{ \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} . $$ - -Note that $\mathcal{P}_{1} S $ (non-empty subsets where cardinality $\leq 1$) for this example is: - -$$ \mathcal{P}_{1} S = \{ \{a\},\{b\},\{c\} \} $$. - -\paragraph{Calculating the number of elements in a cardinality constrained power-set} - -A $k$ combination is a subset with $k$ elements. -The number of $k$ combinations (each of size $k$) from a set $S$ -with $n$ elements (size $n$) is the binomial coefficient~\cite{probstat} shown in equation \ref{bico}. - -\begin{equation} -C^n_k = {n \choose k} = \frac{n!}{k!(n-k)!} . -\label{bico} -\end{equation} - -To find the number of elements in a cardinality constrained subset S with up to $cc$ elements -in each combination sub-set, -we need to sum the combinations, -%subtracting $cc$ from the final result -%(repeated empty set counts) -from $1$ to $cc$ thus - -% -% $$ {\sum}_{k = 1..cc} {\#S \choose k} = \frac{\#S!}{k!(\#S-k)!} $$ -% - -\begin{equation} - |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc - \label{eqn:ccps} -\end{equation} - - - -\subsection{Actual Number of combinations to check with Unitary State Fault mode sets} - -If all of the fault modes in $S$ were independent, -the cardinality constrained power-set -calculation (in equation \ref {eqn:ccps}) would give the correct number of test case combinations to check. -Because sets of failure modes in FMMD analysis are constrained to be unitary state, -the actual number of test cases to check will usually -be less than this. -This is because combinations of faults within a components failure mode set -are impossible under the conditions of unitary state failure mode. -To modify equation \ref{eqn:ccps} for unitary state conditions, we must subtract the number of component `internal combinations' -for each component in the functional group under analysis. -Note we must sequentially subtract using combinations above 1 up to the cardinality constraint. -For example, say -the cardinality constraint was 3, we would need to subtract both -$|{n \choose 2}|$ and $|{n \choose 3}|$ for each component in the functional~group. - -\subsubsection{Example: Two Component functional group cardinality Constraint of 2} - -For example: suppose we have a simple functional group with two components R and T, of which -$$fm(R) = \{R_o, R_s\}$$ and $$fm(T) = \{T_o, T_s, T_h\}.$$ - -This means that the functional~group $FG=\{R,T\}$ will have a component failure mode set -of $fm(FG) = \{R_o, R_s, T_o, T_s, T_h\}$ - -For a cardinality constrained powerset of 2, because there are 5 error modes ( $|fm(FG)|=5$), -applying equation \ref{eqn:ccps} gives :- - -$$ | P_2 (fm(FG)) | = \frac{5!}{1!(5-1)!} + \frac{5!}{2!(5-2)!} = 15.$$ - -This is composed of ${5 \choose 1}$ -five single fault modes, and ${5 \choose 2}$ ten double fault modes. -However we know that the faults are mutually exclusive within a component. -We must then subtract the number of `internal' component fault combinations -for each component in the functional~group. -For component R there is only one internal component fault that cannot exist -$R_o \wedge R_s$. As a combination ${2 \choose 2} = 1$. For the component $T$ which has - three fault modes ${3 \choose 2} = 3$. -Thus for $cc = 2$, under the conditions of unitary state failure modes in the components $R$ and $T$, we must subtract $(3+1)$. -The number of combinations to check is thus 11, $|\mathcal{P}_{2}(fm(FG))| = 11$, for this example and this can be verified -by listing all the required combinations: - - - -$$ \mathcal{P}_{2}(fm(FG)) = \{ - \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} - \} -$$ - -and whose cardinality is 11. % by inspection -%$$ -%| -%\{ -% \{R_o T_o\}, \{R_o T_s\}, \{R_o T_h\}, \{R_s T_o\}, \{R_s T_s\}, \{R_s T_h\}, \{R_o \}, \{R_s \}, \{T_o \}, \{T_s \}, \{T_h \} -%\} -%| = 11 -%$$ - - -\pagebreak[1] -\subsubsection{Establishing Formulae for unitary state failure mode -cardinality calculation} - -The cardinality constrained power-set in equation \ref{eqn:ccps}, can be modified for % corrected for -unitary state failure modes. -%This is written as a general formula in equation \ref{eqn:correctedccps}. - -%\indent{ -%To define terms : -%\begin{itemize} -%\item -Let $C$ be a set of components (indexed by $j \in J$) -that are members of the functional group $FG$ -i.e. $ \forall j \in J | C_j \in FG $. - -%\item -Let $|fm({C}_{j})|$ -indicate the number of mutually exclusive fault modes of component $C_j$. -%\item - -Let $fm(FG)$ be the collection of all failure modes -from all the components in the functional group. -%\item - -Let $SU$ be the set of failure modes from the {\fg} where all $FG$ is such that -components $C_j$ are in -`unitary state' i.e. $(SU = fm(FG)) \wedge (\forall j \in J | fm(C_j) \in \mathcal{U}) $, then -%\end{itemize} -%} - -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} - - {\sum_{j \in J} {|FM({C_{j})}| \choose 2}} . - \label{eqn:correctedccps} -\end{equation} - -Expanding the combination in equation \ref{eqn:correctedccps} - - -\begin{equation} - |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} -- {{\sum_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } . - \label{eqn:correctedccps2} -\end{equation} - -\paragraph{Use of Equation \ref{eqn:correctedccps2} } -Equation \ref{eqn:correctedccps2} is useful for an automated tool that -would verify that a single or double simultaneous failures model has complete failure mode coverage. -By knowing how many test cases should be covered, and checking the cardinality -associated with the test cases, complete coverage would be verified. - -%\paragraph{Multiple simultaneous failure modes disallowed combinations} -%The general case of equation \ref{eqn:correctedccps2}, involves not just dis-allowing pairs -%of failure modes within components, but also ensuring that combinations across components -%do not involve any pairs of failure modes within the same component. -%%%%- NOT SURE ABOUT THAT !!!!! -%%%- A recursive algorithm and proof is described in appendix \ref{chap:vennccps}. - -%%\paragraph{Practicality} -%%Functional Group may consist, typically of four or five components, which typically -%%have two or three failure modes each. Taking a worst case of mutiplying these -%%by a factor of five (the number of failure modes and components) would give -%%$25 \times 15 = 375$ -%% -%% -%% -%%\begin{verbatim} -%% -%%# define a factorial function -%%# gives 1 for negative values as well -%%define f(x) { -%% if (x>1) { -%% return (x * f (x-1)) -%% } -%% return (1) -%% -%%} -%%define u1(c,x) { -%% return f(c*x)/(f(1)*f(c*x-1)) -%%} -%%define u2(c,x) { -%% return f(c*x)/(f(2)*f(c*x-2)) -%%} -%% -%%define uc(c,x) { -%% return c * f(x)/(f(2)*f(x-2)) -%%} -%% -%%# where c is number of components, and x is number of failure modes -%%# define function u to calculate combinations to check for double sim failure modes -%%define u(c,x) { -%%f(c*x)/(f(1)*f(c*x-1)) + f(c*x)/(f(2)*f(c*x-2)) - c * f(c)/(f(2)*f(c-2)) -%%} -%% -%% -%%\end{verbatim} -%% - -\pagebreak[1] -\section{Component Failure Modes and Statistical Sample Space} -%\paragraph{NOT WRITTEN YET PLEASE IGNORE} -A sample space is defined as the set of all possible outcomes. -For a component in FMMD analysis, this set of all possible outcomes is its normal (or `correct') -operating state and all its failure modes. -We can consider failure modes as events in the sample space. -% -When dealing with failure modes, we are not interested in -the state where the component is working correctly or `OK' (i.e. operating with no error). -% -We are interested only in ways in which it can fail. -By definition, while all components in a system are `working~correctly', -that system will not exhibit faulty behaviour. -% -We can say that the OK state corresponds to the empty set. -% -Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is -%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ -$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$ -The failure mode set $F$ for a given component or derived~component $C$ -is therefore -$ fm(C) = \Omega(C) \backslash \{OK\} $ -(or expressed as -$ \Omega(C) = fm(C) \cup \{OK\} $). - -The $OK$ statistical case is the (usually) largest in probability, and is therefore -of interest when analysing systems from a statistical perspective. -This is of interest for the application of conditional probability calculations -such as Bayes theorem~\cite{probstat}. - -The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian -statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}. -That is to say, a base component or a sub-system failure -has a probability of causing given system level failures\footnote{FMECA has a $\beta$ value that directly corresponds -to the probability that a given part failure mode will cause a given system level failure/event.}. - -Another way to view this is to consider the failure modes of a -component, with the $OK$ state, as a universal set $\Omega$, where -all sets within $\Omega$ are partitioned. -Figure \ref{fig:partitioncfm} shows a partitioned set representing -component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets -where the OK or empty set condition is included, obey unitary state conditions. -Because the subsets of $\Omega$ are partitioned, we can say these -failure modes are unitary state. - -\begin{figure}[h] - \centering - \includegraphics[width=350pt,keepaspectratio=true]{./CH4_FMMD/partitioncfm.png} - % partition.png: 510x264 pixel, 72dpi, 17.99x9.31 cm, bb=0 0 510 264 - \caption{Base Component Failure Modes with OK mode as partitioned set} - \label{fig:partitioncfm} -\end{figure} - -\section{Components with Independent failure modes} - -Suppose that we have a component that can fail simultaneously -with more than one failure mode. -This would make it seemingly impossible to model as `unitary state'. - - -\paragraph{De-composition of complex component.} -There are two ways in which we can deal with this. -We could consider the component a composite -of two simpler components, and model their interaction to -create a derived component. -\ifthenelse {\boolean{paper}} -{ -This technique is outside the scope of this paper. -} -{ -%This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled. -} - -\begin{figure}[h] - \centering - \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco.png} - % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 - \caption{Component with three failure modes as partitioned sets} - \label{fig:combco} -\end{figure} - -\paragraph{Combinations become new failure modes.} -Alternatively, we could consider the combinations -of the failure modes as new failure modes. -We can model this using an Euler diagram representation of -an example component with three failure modes\footnote{OK is really the empty set, but the term OK is more meaningful in -the context of component failure modes} $\{ B_1, B_2, B_3, OK \}$ see figure \ref{fig:combco}. - -For the purpose of example let us consider $\{ B_2, B_3 \}$ -to be intrinsically mutually exclusive, but $B_1$ to be independent. -This means the we have the possibility of two new combinations -$ B_1 \cap B_2$ and $ B_1 \cap B_3$. -We can represent these -as shaded sections of figure \ref{fig:combco2}. - -\begin{figure}[h] - \centering - \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco2.png} - % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 - \caption{Component with three failure modes where $B_1$ is independent} - \label{fig:combco2} -\end{figure} - - - -We can calculate the probabilities for the shaded areas -assuming the failure modes are statistically independent -by multiplying the probabilities of the members of the intersection. -We can use the function $P$ to return the probability of a -failure mode, or combination thereof. -Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$. - - -\begin{figure}[h] - \centering - \includegraphics[width=200pt,bb=0 0 353 247,keepaspectratio=true]{./CH4_FMMD/compco3.png} - % compco.png: 353x247 pixel, 72dpi, 12.45x8.71 cm, bb=0 0 353 247 - \caption{Component with two new failure modes} - \label{fig:combco3} -\end{figure} - - -We can now consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}). -Because of the combinations, the probabilities for the failure modes -$B_1, B_2$ and $B_3$ will now reduce. -We can use the prime character ($\; \prime \;$), to represent the altered value for a failure mode, i.e. -$B_1^\prime$ represents the altered value for $B_1$. -Thus -$$ P(B_1^\prime) = B_1 - P(B_1 \cap B_2) - P(B_1 \cap B_3)\; , $$ -$$ P(B_2^\prime) = B_2 - P(B_1 \cap B_2) \; and $$ -$$ P(B_3^\prime) = B_3 - P(B_1 \cap B_3) \; . $$ - -We now have two new component failure mode $B_4$ and $B_5$, shown in figure \ref{fig:combco3}. -We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P(B_1 \cap B_2)$. - - -