robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Chapter 5 gone trhough a printout--edit on paper--update

Browse Source 
cycle.
This commit is contained in:
Robin Clark 2012-10-27 16:48:37 +01:00
parent 36025181b7
commit 8d39f0c310
3 changed files with 116 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
submission_thesis/CH5_Examples/Makefile
View File

@ -6,7 +6,7 @@ PNG_DIA = blockdiagramcircuit2.png bubba_oscillator_block_diagram.png circuit1
pt100_tc.png pt100_tc_sp.png shared_component.png stat_single.png three_tree.png \
tree_abstraction_levels.png vrange.png sigma_delta_block.png ftcontext.png ct1.png hd.png \
sigdel1.png sdadc.png bubba_euler_1.png bubba_euler_2.png eulersd.png eulersdfinal.png \
eulerfivepole.png
eulerfivepole.png eulerswhw.png

193
submission_thesis/CH5_Examples/copy.tex
View File

@ -26,17 +26,17 @@ a variety of typical embedded system components including analogue/digital and e
%Each example has been chosen to demonstrate
%FMMD applied to
%
The first section
~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs}
(in the context of the safety standards
we are using for our particular project).
% % The first section
% % ~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs}
% % (in the context of the safety standards
% % we are using for our particular project).
%
This is followed by several example FMMD analyses,
the first analysing a common configuration of
%This is followed by several example FMMD analyses,
The first applies FMMD to a common configuration of
the inverting amplifier (see section~\ref{sec:invamp}) using
an op-amp and two resistors, which demonstrates how the re-use of the potential divider from section~\ref{subsec:potdiv}.
The inverting amplifier is analysed again, but this time with different
{\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
an op-amp and two resistors; this demonstrates how the re-use of the potential divider from section~\ref{subsec:potdiv}.
The inverting amplifier is analysed again, but this time with a different
composition of {\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
%~\ref{sec:chap4}
%can be re-used. %, but with provisos.
%
@ -44,19 +44,21 @@ The inverting amplifier is analysed again, but this time with different
%(see section~\ref{sec:diffamp})
Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used
to create a differencing amplifier.
Building on the two approaches section~\ref{sec:invamp}, re-use of the potential divider {\dc}
Building on the two approaches from section~\ref{sec:invamp}, re-use of the non-inverting amplifier {\dc} from section~\ref{sec:invamp}
is discussed in the context of this circuit,
where its re-use is appropriate in the first stage and
not in the second.
%
Section~\ref{sec:fivepolelp} analyses a Sallen-Key based five pole low pass filter.
This demonstrates FMMD being able to re-use the first Sallen-Key analysis, %encountered as a {\dc}
thus saving time and effort for the analyst.
This demonstrates re-use the first Sallen-Key analysis, %encountered as a {\dc}
increasing test effeciency. %saving time and effort for the analyst.
%
Section~\ref{sec:bubba} shows FMMD applied to a circular circuit topology---the `Bubba' oscillator---which uses
four op-amp stages with supporting components.
four op-amp stages with supporting components. Two analysis stategies are employed, one using
initially identified {\fgs} and the second using a more complex hierarchy of {\fgs} and {\dcs}.
%
Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta analogue to digital converter---again with a circular signal path---but which also operates on both
Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta
analogue to digital converter---again with a circular signal path---which operates on both
analogue and digital signals.
%
% Moving Pt100 to metrics
@ -604,11 +606,15 @@ Both approaches are followed in the next two sub-sections.
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
If we can refine the operational states of the functional group, we can obtain clearer
symptoms.
If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}).
We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}, not simply because
the potential divider is inverted, but, in addition the
output feedback forms a current balance with the input signal. %---that potential divider would only be valid if the input signal were negative.
%We want if possible to have detectable errors.
%HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
%If we can refine the operational states of the functional group, we can obtain clearer
%symptoms.
Were the input to be guaranteed % the input will only be
positive, we could the potential divider (see table~\ref{tbl:pdneg}).
\begin{table}[h+]
\caption{Inverted Potential divider: Single failure analysis}
@ -909,7 +915,7 @@ the input voltages $+V1$ and $+V2$.
The circuit is configured so that both inputs use the non-inverting,
and thus high impedance inputs, meaning that they will not
electrically over-load and/or unduly influence
the sensors supplying the voltage signals used for measurement.
the sensors or circuitry supplying the voltage signals used for measurement.
It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit.
@ -1135,7 +1141,7 @@ $$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$
%the derived component for $NI\_AMP$
\pagebreak[4]
\subsection{Modelling the circuit}
\subsection{Finishing stage of the $DiffAmp$ Analysis}
For the final stage of this we can create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
@ -1155,9 +1161,9 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
% R & wire & res + & res - & description
\hline
\hline
TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & opamp 2 driven low & DiffAMPHigh \\
TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & DiffAMP\_LP \\ \hline
TC1: $NI\_AMP$ AMPHigh & IC2 output driven high & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & IC2 output driven low & DiffAMPHigh \\
TC3: $NI\_AMP$ LowPass & IC2 output with lag & DiffAMP\_LP \\ \hline
TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & DiffAMPHigh\\
TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & DiffAMPLow \\
TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & DiffAMP\_LP \\
@ -1170,10 +1176,8 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
Collecting symptoms we determine the failure modes for this circuit, %$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
and create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
@ -1185,7 +1189,7 @@ Using this we can trace any top level fault back to
a component failure mode that could have caused it\footnote{ In fact we can
re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates.}.
%
This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially
when it becomes a V2 follower).
@ -1199,13 +1203,13 @@ when it becomes a V2 follower).
\end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508~\cite{en61508}
terminology is called an undetectable fault.
%
Were this failure to have safety implications this FMMD analysis will have revealed
Were this failure to have safety implications, this FMMD analysis will have revealed
the un-observability and would likely prompt re-design of this
circuit\footnote{A typical way to solve an un-observability such as this is
to periodically switch in test signals in place of the input signal.}
to periodically switch in test signals in place of the input signal.}.
\clearpage
@ -1248,15 +1252,17 @@ We begin with the first order low pass filter formed by $R10$ and $C10$.
%
This configuration (or {\fg}) is very commonly
used in electronics to remove unwanted high frequencies/interference
from a signal; Here it is being used as a first stage of
from a signal; here it is being used as a first stage of
a more sophisticated low pass filter.
%
R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being
that the impedance of the capacitor is lower for higher frequencies.
%
Thus higher frequencies are attenuated at the point that we
read its output signal.
%
However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{potdivfmmd}).
to a potential divider (see section~\ref{subsec:potdiv}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the worst case two failure mode model for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
@ -1285,7 +1291,7 @@ We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
\end{table}
We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
We collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
\paragraph{Addition of Buffer Amplifier: First stage.}
@ -1346,7 +1352,7 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second.
We can analyse the first one and then re-use these results for the second (see figure~\ref{fig:circuit2002_FIVEPOLE}).
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
@ -1572,10 +1578,10 @@ Our functional group for the phase shifter consists of a resistor and a capacito
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline
% 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline
FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\
% 90 degree's of phase shift & & $90\_phaseshift$
FS2: R OPEN & No Signal & $nosignal$ \\ \hline
FS3: C SHORT & Grounded,No Signal & $nosignal$ \\ \hline
FS3: C SHORT & Grounded,No Signal & $nosignal$ \\
FS4: C OPEN & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline
\hline
@ -1650,7 +1656,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS3: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
@ -1669,7 +1675,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
FS12: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS13: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS15: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
@ -1678,7 +1684,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
FS18: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS19: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS21: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\
@ -1746,20 +1752,36 @@ We should be able to determine smaller {\fgs} and refine the model further.
\label{fig:bubbaeuler2}
\end{figure}
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator}
%
We take the pre-analysed $NIBUFF$ and $PHS45$
{\dcs} into a {\fg} giving the {\dc} $BUFF45$.
$BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
and with those three, form a $PHS135BUFFERED$
functional group.
$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter.
We use the pre-analysed $NIBUFF$ and $PHS45$
{\dcs} to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$.
%
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.},
Thus, $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
%
From the block circuit diagram (figure~\ref{fig:circuit3}), we see that there are three
$45^{\circ}$ phase shifter circuits in series. Together these apply a $135^{\circ}$ phase shift to the signal.
%
We use this property to model a higher level {\dc}, that of a 135 degree phase shifter.
%
The three $BUFF45$ {\dcs} form a
functional group which is analysed in table~\ref{tbl:phs135buffered}.
The result of this analysis is the {\dc}
$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter.
%
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator}
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg}
providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$.
providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp}
resulting in the {\dc} $PHS225AMP$.
%
%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$---
Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba})
Finally we form a final {\fg} with $PHS135BUFFERED$ and $PHS225AMP$,
%in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba})
%
%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45)
%we can combine three $BUFF45$'s to make
@ -1784,7 +1806,7 @@ Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see fig
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline
%FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline
FS3: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\
@ -1820,15 +1842,15 @@ We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}.
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline
%FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS3: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline
% FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS5: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline
% FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
@ -1864,7 +1886,7 @@ $INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $180\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline
% FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $270\_phaseshift$ \\ \hline
FS3: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\
@ -1968,7 +1990,7 @@ there are more {\dcs} and this increases the potential for re-use of pre-analyse
The following example is used to demonstrate FMMD analysis of a mixed analogue and digital circuit (see figure~\ref{fig:sigmadelta}).
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/circuit4004.png}
\includegraphics[width=300pt]{./CH5_Examples/circuit4004.png}
% circuit4004.png: 562x389 pixel, 72dpi, 19.83x13.72 cm, bb=0 0 562 389
\caption{Sigma Delta Analogue to Digital Converter}
\label{fig:sigmadelta}
@ -1980,7 +2002,7 @@ The following example is used to demonstrate FMMD analysis of a mixed analogue a
%
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png}
\includegraphics[width=300pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png}
% sigma_delta_block.png: 828x367 pixel, 72dpi, 29.21x12.95 cm, bb=0 0 828 367
\caption{Electrical signal path Block diagram: \sd} % Analogue to Digital Converter }
\label{fig:sigmadeltablock}
@ -2003,15 +2025,17 @@ The output of the integrator is converted to a digital level (by IC2)
%which acts as a comparator,
and fed to the D type flip flop.
%
The output of the flip flop forms a bit pattern representing the value
of the input voltage.
%
The output of the flip flop is also routed to the feedback.
It is level converted to an analogue signal
%
The output of the flip flop is routed to the digital output and to the feedback loop.
It must be level converted before being fed to the analogue feedback.
It is level converted to an analogue signal by IC3.
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
and fed into the summing integrator completing the negative feedback loop.
%
In essence this implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730].
In essence this implements an over-sampling one bit analogue to digital converter~\cite{ehb}[pp.729-730].
The output of the flip flop forms a bit pattern representing the value
of the input voltage (i.e. the value of the sum of 1's and 0's is proportional to the voltage value at the input).
\subsection{FMMD analysis of \sd }
@ -2026,7 +2050,7 @@ IC1,2 and 3 are all OpAmps and we have failure modes from section~\ref{sec:opamp
%
$$ fm(OPAMP) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} $$
%
We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], the CD4013B~\cite{cd4013Bds},
We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], for example the CD4013B~\cite{cd4013Bds},
and obtain its failure modes, which we can express using the $fm$ function:
%%
$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
@ -2045,7 +2069,7 @@ $$ fm ( CLOCK ) = \{ STOPPED \} $$
\subsection{Identifying initial {\fgs}}
\subsubsection{Summing Junction Integrator (SUMJINT)}
We now need to choose {\fgs}. The most obvious way to find initial {\fgs} id
We now need to choose {\fgs}. The most obvious way to find initial {\fgs} is
to follow the signal path. The signal path is circular, but we can start
with the input voltage, which is applied via $R2$, we term this voltage $V_{in}$.
%
@ -2279,8 +2303,8 @@ These are:
\item SUMJINT --- A summing junction and integrator,
\item HISB --- A High impedance buffer,
\item DIGITALBUFF --- A one bit digital buffer,
\item DL2AL --- A digital to analog level converter.
\item DIGBUF --- A digital one bit buffer/memory
\item DL2AL --- A digital to analog level converter,
\item DIGBUF --- A digital one bit buffer/memory.
\end{itemize}
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
We now use these {\dcs} to create higher level {\fgs}.
@ -2323,7 +2347,7 @@ $$ FG = \{ HISB, SUMJINT \} $$
\begin{table}[h+]
\caption{ $HISB , SUMJINT$ buffered integrating summing junction($BISJ$): Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS}
\label{tbl:BISJ}
\begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
@ -2390,12 +2414,11 @@ We analyse the buffered flip flop circuitry in table~\ref{tbl:digbuf}.
\hline \hline
FS1: $DIGBUF$ $STOPPED$ & & output stuck & & $OUTPUT STUCK$ \\
FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\
\\ \hline
FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline
%\hline
FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\
FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ \hline
FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\
FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\
FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ \hline
\hline
@ -2607,14 +2630,15 @@ and the subsequent hierarchy. With software already written, that hierarchy is f
Software written for safety critical systems is usually constrained to
be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
Because of this we can assume a direct call tree. Functions call functions
Because of this we can assume direct call trees~\footnote{A typical embedded system
will have a run time call tree, and interrupt driven call tress}. Functions call functions
from the top down and eventually call the lowest level library or IO
functions that interact with hardware/electronics.
What is potentially difficult with a software function, is deciding what
its failure modes and symptoms are.
With electronic components, we can use literature to point us to suitable sets of
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}.%~\cite{en61508}~\cite{en298}.
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}.
With software, only some library functions are well known and rigorously documented
enough to have the equivalent of known failure modes.
Most software is `bespoke'. We need a different strategy to
@ -2674,7 +2698,8 @@ Should the driving electronics go wrong at the source end, it will usually
supply far too little or far too much current, also making error conditions easy to detect.
%
At the receiving end, we only require one simple component to convert the
current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor!
current signal into a voltage that we can read with an AD---a resistor---given
its properties defined by Ohms law. % the humble resistor!
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
@ -3120,14 +3145,22 @@ $$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$$
We can now represent the software/hardware FMMD analysis
as a hierarchical diagram, see figure~\ref{fig:hd}.
as a hierarchical diagram, see figure~\ref{fig:eulerswhw}. % see figure~\ref{fig:hd}.
% HTR 27OCT2012 % \begin{figure}[h]
% HTR 27OCT2012 % \centering
% HTR 27OCT2012 % \includegraphics[width=200pt]{./CH5_Examples/hd.png}
% HTR 27OCT2012 % % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
% HTR 27OCT2012 % \caption{FMMD hierarchy with hardware and software elements}
% HTR 27OCT2012 % \label{fig:hd}
% HTR 27OCT2012 % \end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/hd.png}
% hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
\caption{FMMD hierarchy with hardware and software elements}
\label{fig:hd}
\includegraphics[width=300pt]{./CH5_Examples/eulerswhw.png}
% eulerswhw.png: 510x344 pixel, 72dpi, 17.99x12.14 cm, bb=0 0 510 344
\caption{Euler diagram showing relationship between {\dcs} determined from electronics and software.}
\label{fig:eulerswhw}
\end{figure}

BIN
submission_thesis/CH5_Examples/eulerswhw.dia Normal file
View File

Binary file not shown.