diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 19c375f..e2aaa78 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -1,5 +1,586 @@ \section{Copy dot tex} + + +\subsection{An algebraic notation for identifying FMMD enitities} +Consider all `components' to exist as +members of a set $\mathcal{C}$. +% +Each component $c$ has an associated set of failure modes. +We can define a function $fm$ that returns a +set of failure modes $F$, for the component $c$. + +Let the set of all possible components be $\mathcal{C}$ +and let the set of all possible failure modes be $\mathcal{F}$. + +We now define the function $fm$ +as +\begin{equation} +\label{eqn:fm} +fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} +This is defined by, where $c$ is a component and $F$ is a set of failure modes, +$ fm ( c ) = F. $ + +We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection +of components. +%We thus define $FG$ as a set of chosen components defining +%a {\fg}; all functional groups +We can state that +{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ + +We can overload the $fm$ function for a functional group {\FG} +where it will return all the failure modes of the components in {\FG} + + +given by + +$$ fm ({\FG}) = F. $$ + +Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, + +\begin{equation} +fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} + + +%$$ \mathcal{fm}(C) \rightarrow S $$ +%$$ {fm}(C) \rightarrow S $$ +\paragraph{Abstraction Levels of {\fgs} and {\dcs}} + + +\label{sec:indexsub} +We can indicate the abstraction level of a component by using a superscript. +Thus for the component $c$, where it is a `base component' we can assign it +the abstraction level zero, $c^0$. Should we wish to index the components +(for example as in a product parts-list) we can use a sub-script. +Our base component (if first in the parts-list) could now be uniquely identified as +$c^0_1$. + +We can further define the abstraction level of a {\fg}. +We can say that it is the maximum abstraction level of any of its +components. Thus a functional group containing only base components +would have an abstraction level zero and could be represented with a superscript of zero thus +`${\FG}^0$'. % The functional group set may also be indexed. + +We can apply symptom abstraction to a {\fg} to find +its symptoms. +%We are interested in the failure modes +%of all the components in the {\fg}. An analysis process +We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}. +% +The $\bowtie$ function takes a {\fg} +as an argument and returns a newly created {\dc}. +% +%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. +The symptom abstraction process must always raise the abstraction level +for the newly created {\dc}. +Using $\abslevel$ to symbolise the fault abstraction level, we can now state: + +$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ + +\paragraph{Functional Groups may be indexed} +We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) +we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. +For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. + +\paragraph{The symptom abstraction process in outline.} +The $\bowtie$ function processes each component in the {\fg} and +extracts all the component failure modes. +With all the failure modes, an analyst can +determine how each failure mode will affect the {\fg}, and then collect common symptoms. +A new {\dc} is created +where its failure modes, are the symptoms from {\fg}. +Note that the component must have a higher abstraction level than the {\fg} +it was derived from. + + +\paragraph{Surjective constraint applied to symptom collection.} +We can stipulate that symptom collection process is surjective. +% i.e. $ \forall f in F $ +By stipulating surjection for symptom collection, we ensure +that each component failure mode maps to at least one symptom. +We also ensure that all symptoms have at least one component failure +mode (i.e. one or more failure modes that caused it). +% + +\subsection{FMMD Hierarchy} + +By applying stages of analysis to higher and higher abstraction +levels, we can converge to a complete failure mode model of the system under analysis. +Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) +the number of symptoms is guaranteed to be less than or equal to +the number of component failure modes. + +In practise however, the number of symptoms greatly reduces as we traverse +up the hierarchy. +This is a natural process. When we have complicated systems +they always have a small number of system failure modes in comparison to +the number of failure modes in its sub-systems/components.. + + +\section{Examples of Derived Component like concepts in safety literature} + +Idea stage on this section, integrated circuits and some compond parts (like digital resistors) +are treated like base components. i.e. this sets a precedent for {\dcs}. + +\begin{itemize} + \item Look at OPAMP circuits, pick one (say $\mu$741) + \item Digital transistor perhaps, inside two resistors and a transistor. + \item outline a proposed FMMD analysis + \item Show FMD-91 OPAMP failure modes -- compare with FMMD +\end{itemize} + +The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors +(and for some types of resistors OPEN only). +FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. +Now a resistor will generally only suffer parameter change when over stressed. +EN298 stipulates down rating by 60\% to maximum stress +possible in a circuit. So even if you have a resistor that preliminary tells you would +never be subjected to say more than 5V, but there is say, a 24V rail +on the circuit, you have to choose resistors able to cope with the 24V +stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum +voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. +Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. + +\clearpage +Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. + + +\subsection{{\fgs} Sharing components and Hierarchy} + +With electronics we need to follow the signal path to make sense of failure modes +effects on other parts of the circuit further down that path. +%{\fgs} will naturally have to be in the position of starter +A power-supply is naturally first in a signal path (or failure reasoning path). +That is to say, if the power-supply is faulty, its failure modes are likely to affect +the {\fgs} that have to use it. + +This means that most electronic components should be placed higher in an FMMD +hierarchy than the power-supply. +A shorted de-coupling capactitor caused a `symptom' of the power-supply, +and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. +% to consider. + +If components can be shared between functional groups, this means that components +must be shareable between {\fgs} at different levels in the FMMD hierarchy. +This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown +in figure~\ref{fig:shared_component}. + +\begin{figure} + \centering + \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} + % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 + \caption{Optionally shared Component} + \label{fig:shared_component} +\end{figure} + +\subsection{Hierarchy and structure} +By having this structure, the logic circuit element, can accept failure modes from the +power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. +Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. +But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. + +\pagebreak[4] +\section{Defining the concept of `comparison~complexity' in FMEA} + +% +% DOMAIN == INPUTS +% RANGE == OUTPUTS +% + +When performing FMEA we have a system under investigation, which will +comprise of a collection of components which have associated failure modes. +The object of FMEA is to determine cause and effect: +from the failure modes (the causes) to the effects (or symptoms of failure). +% +To perform FMEA rigorously +we could stipulate that every failure mode must be checked for effects +against all the components in the system. +We could term this `rigorous~FMEA'~(RFMEA). +The number of checks we have to make to achieve this gives an indication of the complexity of the task. +% +We could term this `comparison~complexity', as it is the number of +paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. + + +% (except its self of course, that component is already considered to be in a failed state!). +% +Obviously, for a small number of components and failure modes we have a smaller number +of checks to make than for a complicated larger system. +% +We can consider the system as a large {\fg} of components. +We represent the number of components in the {\fg} $G$, by +$ | G | $ +(an indexing and sub-scripting notation to identify particular {\fgs} +within an FMMD hierarchy is given in section~\ref{sec:indexsub}). + +The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). +We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ + +If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express +the number of checks required to rigorously examine every +failure mode against all the other components in the system. +We can define this as a function, Comparison Complexity, $CC$, with its domain as the system +or {\fg}, $\FG$, and +its range as the number of checks to perform to satisfy a rigorous FMEA inspection. + +Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, +\begin{equation} +%$$ + CC:\mathcal{\FG} \rightarrow \mathbb{N}, +%$$ +\end{equation} + +and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes +in component ${c_i}$, is given by + +\begin{equation} +\label{eqn:CC} +%$$ + %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) + CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i). +%$$ +\end{equation} + +This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$); +equation~\ref{eqn:CC} becomes + +%$$ +\begin{equation} +\label{eqn:rd2} + CC(\FG) = K.(|\FG|-1). +\end{equation} +%$$ +%Equation~\ref{eqn:rd} can also be expressed as +% +% \begin{equation} +% \label{eqn:rd2} +% %$$ +% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} . +% %$$ +% \end{equation} +\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy} + +An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy. +In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to +all {\fgs} on each level. + +We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), +defined by + +\begin{equation} +%$$ +g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . +%$$ +\end{equation} + +Where $L$ represents the number of levels in the FMMD hierarchy, +$|g(\xi)|$ represents the number of functional groups on the level +and $H$ represents an FMMD hierarchy, +we overload the comparison complexity thus: +%$$ +\begin{equation} + \label{eqn:gf} + CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}). +%$$ +\end{equation} + + +\pagebreak[4] +\subsection{Complexity Comparison Examples} + +The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. +$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ + +Even considering a $fictitious$ system with just 81 components (with these components +having 3 failure modes each) we would have an $CC$ of + +$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ + +Ensuring all component failure modes are checked against all other components in a system +-- applying FMEA rigorously -- could be termed +Rigorous FMEA (RFMEA). +The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes). + +This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis +process are by-hand/human activities. It can be seen that it is practically impossible to achieve +RFMEA for anything but trivial systems. +% +% Next statement needs alot of justification +% +It is the authors belief that FMMD reduces the comparison complexity enough to make +rigorous checking feasible. + + +\pagebreak[4] +%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD} + +\begin{figure} + \centering + \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png} + % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385 + \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$} + \label{fig:three_tree} +\end{figure} + + + +\subsection{Comparing FMMD and RFMEA comparison complexity} + +Because components have variable numbers of failure modes, +and {\fgs} have variable numbers of components it is difficult to +use the general formula for comparing the number of checks to make for +RFMEA and FMMD. +If we were to create an example by fixing the number of components in a {\fg} +and the number of failure modes per component, we can derive formulae +to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to +all components in a system. + +Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), +$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and +$L$ to be the number of levels in the hierarchy of an FMMD analysis. +We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy +with equation~\ref{eqn:anscen}. + +\begin{equation} + \label{eqn:anscen} + \sum_{n=0}^{L} {k}^{n}.k.f.(k-1) +\end{equation} + +The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top -- +there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level. +The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ +checked against the remaining components in the {\fg} $(k-1)$. + +If, for the sake of example we fix the number of components in a {\fg} to three and +the number of failure modes per component to three, an FMMD hierarchy +would look like figure~\ref{fig:three_tree}. + +\subsection{Worked Example} + +Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. +Starting at the top, we have a {\fg} with three derived components, each of which has +three failure modes. +Thus the number of checks to make in the top level is $3^0.3.2.3=18$. +On the level below that, we have three {\fgs} each with a +an identical number of checks, $3^1.3.2.3=56$.%{\fg} +On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. +Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} +{\fgs}). + +If we were to take the system represented in figure~\ref{fig:three_tree}, and +apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC}, +$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3 +and $(|G|-1)$ is 26. +This gives: +$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. + +In order to get general equations with which to compare RFMEA with FMMD +we can re-write equation~\ref{eqn:CC} in terms of the number of levels +in an FMMD hierarchy. +% +The number of components in the system, is number of components +in a {\fg} raised to the power of the level plus one. +Thus we re-write equation~\ref{eqn:CC} as: + + +\begin{equation} + \label{eqn:fmea_state_exp21} + \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\ + %(N^2 - N).f +\end{equation} + +or + +\begin{equation} + \label{eqn:fmea_state_exp22} + k^{L+1}.(k^{L+1}-1).f \;. % \\ + %(N^2 - N).f +\end{equation} + +We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$) +the two approaches, for the work required to perform rigorous checking. + + +For instance, having four levels +of FMMD analysis, with these fixed numbers, +%(in addition to the top zeroth level) +will require 81 base level components. + +$$ +%\begin{equation} + \label{eqn:fmea_state_exp22} + 3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\ + %(N^2 - N).f +%\end{equation} +$$ + +$$ +%\begin{equation} + % \label{eqn:anscen} + \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 +%\end{equation} +$$ + +% \subsection{Exponential squared to Exponential} +% +% can I say that ? + +\section{Problems in choosing membership of functional groups} + +\subsection{Side Effects: A Problem for FMMD analysis} +A problem with modularising according to functionality is that we can have component failures that would +intuitively be associated with one {\fg} that may cause unintended side effects in other +{\fgs}. +For instance were we to have a component that on failing $SHORT$ could bring down +a voltage supply rail, this could have drastic consequences for other +functional groups in the system we are examining. + +\pagebreak[3] +\subsubsection{Example de-coupling capacitors in logic circuits} + +A good example of this, are de-coupling capacitors, often used +over the power supply pins of all chips in a digital logic circuit. +Were any of these capacitors to fail $SHORT$ they could bring down +the supply voltage to the other logic chips. + + +To a power-supply, shorted capacitors on the supply rails +are a potential source of the symptom, $SUPPLY\_SHORT$. +In a logic chip/digital circuit {\fg} open capacitors are a potential +source of symptoms caused by the failure mode $INTERFERENCE$. +So we have a `symptom' of the power-supply, and a `failure~mode' of + the logic chip to consider. + +A possible solution to this is to include the de-coupling capacitors +in the power-supply {\fg}. +% decision, could they be included in both places ???? +% I think so + + +Because the capacitor has two potential failure modes (EN298) +this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to +a power-supply module (but there might be additional noise on its output rails). +But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. + +Some logic chips are more susceptible to $INTERFERENCE$ than others. +A logic chip with de-coupling capacitor failing, may operate correctly +but interfere with other chips in the circuit. + +There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. +This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. +This allows functional groups to share components where necessary. +This does not break the modularity of the FMMD technique, because, as {\irl} +one component failure may affect more than one sub-system. +It does uncover a weakness in the FMMD methodology though. +It could be very easy to miss the side effect and include +the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. + + + +\section{Double Simultaneous Failures} + +The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. +However, some critical systems have to consider these type of eventualities. +The burner control industry has to consider double failures, as specified in European Norm +EN298~\cite{en298}. EN298 does not specifically state that +double simultaneous failures must be considered. What it does say is that +in the event of a lockout---a condition where an error has been detected and +the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. +% +This is slightly vague: there are so many possible component failures that could +cause a secondary failure, that it is very difficult not to interpret this +as meaning we have to cater for double simultaneous failures for the most critical sections +of a burner control system. +% +In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel +is not allowed to flow under an error condition. This would of course leave the possibility of +other more complex double failures tricking the controller into thinking the +combustion was actually safe when it was not. +% +It would be impractical to +perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. + +It has been shown that, for all but trivial small systems, double failure mode checking +is impossible from a practical perspective. +FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature +of choosing {\fgs} we will not (in the initial stages) be cross checking all possible +combinations of double failures in all the components. + +The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks +to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. +Consider a system which has four components $c_1 \ldots c_4$. +Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$. +Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$. + +We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group. +For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing +with failure mode $b$. We can express this as $c_2 a \cup c_1 b$. + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png} + % dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330 + \caption{Simultaneous Failure Mode Scenarios} + \label{fig:dubsim1} +\end{figure} + + + +From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined. +How do we model the double failures that occur across the {\fgs}, for instance +$c_4 a \cup c_1 a$. +It could be argued that because functional groups are chosen for their functionality, and re-usability +that component failures in one should not affect a different {\fg}, but this is a weak argument. +Merely double checking within {\fgs} would be marginally better than +only applying it to the most obvious critical elements of a system. + +What is really required is a way that all double simultaneous failures +are checked. + +One way of doing this is to apply double failure mode +checking to all {\fgs} higher up in the hierarchy. + +This guarantees to check the symptoms caused by the +failure modes in the other {\fgs} with the symptoms +derived from the other {\fgs} modelling for double failures. +% +By traversing down the tree we can automatically determine which +double simultaneous combinations have not been resolved. +% +By applying double simultaneous checking until no single failures +canlead to a top level event, we +double failure move coverage. + +To extend the example in figure~\ref{fig:dubsim1} we can map the failure +scenarios. +For Functional Group 1 (FG1), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S1 \\ + FS2 & \mapsto & S3 \\ + FS3 & \mapsto & S1 \\ + FS4 & \mapsto & S2 \\ + FS5 & \mapsto & S2 \\ + FS6 & \mapsto & S3 +\end{eqnarray*} + +Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$. + + +For Functional Group 2 (FG2), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S4 \\ + FS2 & \mapsto & S5 \\ + FS3 & \mapsto & S5 \\ + FS4 & \mapsto & S4 \\ + FS5 & \mapsto & S6 \\ + FS6 & \mapsto & S5 +\end{eqnarray*} + +%This AUTOMATIC check can reveal WHEN double checking no longer necessary +%in the hierarchy to cover dub sum !!!!! YESSSS sample text sample text sample text diff --git a/submission_thesis/CH5_Examples/Makefile b/submission_thesis/CH5_Examples/Makefile index cd64751..9c17cc5 100644 --- a/submission_thesis/CH5_Examples/Makefile +++ b/submission_thesis/CH5_Examples/Makefile @@ -1,6 +1,14 @@ -PNG_DIA = circuit1_dag.png mvampcircuit.png pd.png invamp.png shared_component.png tree_abstraction_levels.png three_tree.png blockdiagramcircuit2.png circuit2h.png bubba_oscillator_block_diagram.png dubsim1.png poss1finalbubba.png poss2finalbubba.png +PNG_DIA = blockdiagramcircuit2.png bubba_oscillator_block_diagram.png circuit1_dag.png circuit2h.png \ + dubsim1.png invamp.png mvampcircuit.png pd.png plddouble.png plddoublesymptom.png \ + poss1finalbubba.png poss2finalbubba.png pt100.png pt100_doublef.png pt100_singlef.png \ + pt100_tc.png pt100_tc_sp.png shared_component.png stat_single.png three_tree.png \ + tree_abstraction_levels.png vrange.png + + + +%= circuit1_dag.png mvampcircuit.png pd.png invamp.png shared_component.png tree_abstraction_levels.png three_tree.png blockdiagramcircuit2.png circuit2h.png bubba_oscillator_block_diagram.png dubsim1.png poss1finalbubba.png poss2finalbubba.png diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index f1d1580..16721ea 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -448,585 +448,6 @@ Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creati is shown as a `$\bowtie$' symbol. -\subsection{An algebraic notation for identifying FMMD enitities} -Consider all `components' to exist as -members of a set $\mathcal{C}$. -% -Each component $c$ has an associated set of failure modes. -We can define a function $fm$ that returns a -set of failure modes $F$, for the component $c$. - -Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$. - -We now define the function $fm$ -as -\begin{equation} -\label{eqn:fm} -fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} -This is defined by, where $c$ is a component and $F$ is a set of failure modes, -$ fm ( c ) = F. $ - -We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection -of components. -%We thus define $FG$ as a set of chosen components defining -%a {\fg}; all functional groups -We can state that -{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ - -We can overload the $fm$ function for a functional group {\FG} -where it will return all the failure modes of the components in {\FG} - - -given by - -$$ fm ({\FG}) = F. $$ - -Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, - -\begin{equation} -fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} - - -%$$ \mathcal{fm}(C) \rightarrow S $$ -%$$ {fm}(C) \rightarrow S $$ -\paragraph{Abstraction Levels of {\fgs} and {\dcs}} - - -\label{sec:indexsub} -We can indicate the abstraction level of a component by using a superscript. -Thus for the component $c$, where it is a `base component' we can assign it -the abstraction level zero, $c^0$. Should we wish to index the components -(for example as in a product parts-list) we can use a sub-script. -Our base component (if first in the parts-list) could now be uniquely identified as -$c^0_1$. - -We can further define the abstraction level of a {\fg}. -We can say that it is the maximum abstraction level of any of its -components. Thus a functional group containing only base components -would have an abstraction level zero and could be represented with a superscript of zero thus -`${\FG}^0$'. % The functional group set may also be indexed. - -We can apply symptom abstraction to a {\fg} to find -its symptoms. -%We are interested in the failure modes -%of all the components in the {\fg}. An analysis process -We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}. -% -The $\bowtie$ function takes a {\fg} -as an argument and returns a newly created {\dc}. -% -%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. -The symptom abstraction process must always raise the abstraction level -for the newly created {\dc}. -Using $\abslevel$ to symbolise the fault abstraction level, we can now state: - -$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ - -\paragraph{Functional Groups may be indexed} -We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) -we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. -For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. - -\paragraph{The symptom abstraction process in outline.} -The $\bowtie$ function processes each component in the {\fg} and -extracts all the component failure modes. -With all the failure modes, an analyst can -determine how each failure mode will affect the {\fg}, and then collect common symptoms. -A new {\dc} is created -where its failure modes, are the symptoms from {\fg}. -Note that the component must have a higher abstraction level than the {\fg} -it was derived from. - - -\paragraph{Surjective constraint applied to symptom collection.} -We can stipulate that symptom collection process is surjective. -% i.e. $ \forall f in F $ -By stipulating surjection for symptom collection, we ensure -that each component failure mode maps to at least one symptom. -We also ensure that all symptoms have at least one component failure -mode (i.e. one or more failure modes that caused it). -% - -\subsection{FMMD Hierarchy} - -By applying stages of analysis to higher and higher abstraction -levels, we can converge to a complete failure mode model of the system under analysis. -Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) -the number of symptoms is guaranteed to be less than or equal to -the number of component failure modes. - -In practise however, the number of symptoms greatly reduces as we traverse -up the hierarchy. -This is a natural process. When we have complicated systems -they always have a small number of system failure modes in comparison to -the number of failure modes in its sub-systems/components.. - - -\section{Examples of Derived Component like concepts in safety literature} - -Idea stage on this section, integrated circuits and some compond parts (like digital resistors) -are treated like base components. i.e. this sets a precedent for {\dcs}. - -\begin{itemize} - \item Look at OPAMP circuits, pick one (say $\mu$741) - \item Digital transistor perhaps, inside two resistors and a transistor. - \item outline a proposed FMMD analysis - \item Show FMD-91 OPAMP failure modes -- compare with FMMD -\end{itemize} - -The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors -(and for some types of resistors OPEN only). -FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. -Now a resistor will generally only suffer parameter change when over stressed. -EN298 stipulates down rating by 60\% to maximum stress -possible in a circuit. So even if you have a resistor that preliminary tells you would -never be subjected to say more than 5V, but there is say, a 24V rail -on the circuit, you have to choose resistors able to cope with the 24V -stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum -voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. -Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. - -\clearpage -Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. - - -\subsection{{\fgs} Sharing components and Hierarchy} - -With electronics we need to follow the signal path to make sense of failure modes -effects on other parts of the circuit further down that path. -%{\fgs} will naturally have to be in the position of starter -A power-supply is naturally first in a signal path (or failure reasoning path). -That is to say, if the power-supply is faulty, its failure modes are likely to affect -the {\fgs} that have to use it. - -This means that most electronic components should be placed higher in an FMMD -hierarchy than the power-supply. -A shorted de-coupling capactitor caused a `symptom' of the power-supply, -and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. -% to consider. - -If components can be shared between functional groups, this means that components -must be shareable between {\fgs} at different levels in the FMMD hierarchy. -This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown -in figure~\ref{fig:shared_component}. - -\begin{figure} - \centering - \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} - % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 - \caption{Optionally shared Component} - \label{fig:shared_component} -\end{figure} - -\subsection{Hierarchy and structure} -By having this structure, the logic circuit element, can accept failure modes from the -power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. -Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. -But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. - -\pagebreak[4] -\section{Defining the concept of `comparison~complexity' in FMEA} - -% -% DOMAIN == INPUTS -% RANGE == OUTPUTS -% - -When performing FMEA we have a system under investigation, which will -comprise of a collection of components which have associated failure modes. -The object of FMEA is to determine cause and effect: -from the failure modes (the causes) to the effects (or symptoms of failure). -% -To perform FMEA rigorously -we could stipulate that every failure mode must be checked for effects -against all the components in the system. -We could term this `rigorous~FMEA'~(RFMEA). -The number of checks we have to make to achieve this gives an indication of the complexity of the task. -% -We could term this `comparison~complexity', as it is the number of -paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. - - -% (except its self of course, that component is already considered to be in a failed state!). -% -Obviously, for a small number of components and failure modes we have a smaller number -of checks to make than for a complicated larger system. -% -We can consider the system as a large {\fg} of components. -We represent the number of components in the {\fg} $G$, by -$ | G | $ -(an indexing and sub-scripting notation to identify particular {\fgs} -within an FMMD hierarchy is given in section~\ref{sec:indexsub}). - -The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). -We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ - -If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express -the number of checks required to rigorously examine every -failure mode against all the other components in the system. -We can define this as a function, Comparison Complexity, $CC$, with its domain as the system -or {\fg}, $\FG$, and -its range as the number of checks to perform to satisfy a rigorous FMEA inspection. - -Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, -\begin{equation} -%$$ - CC:\mathcal{\FG} \rightarrow \mathbb{N}, -%$$ -\end{equation} - -and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes -in component ${c_i}$, is given by - -\begin{equation} -\label{eqn:CC} -%$$ - %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) - CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i). -%$$ -\end{equation} - -This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$); -equation~\ref{eqn:CC} becomes - -%$$ -\begin{equation} -\label{eqn:rd2} - CC(\FG) = K.(|\FG|-1). -\end{equation} -%$$ -%Equation~\ref{eqn:rd} can also be expressed as -% -% \begin{equation} -% \label{eqn:rd2} -% %$$ -% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} . -% %$$ -% \end{equation} -\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy} - -An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy. -In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to -all {\fgs} on each level. - -We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), -defined by - -\begin{equation} -%$$ -g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . -%$$ -\end{equation} - -Where $L$ represents the number of levels in the FMMD hierarchy, -$|g(\xi)|$ represents the number of functional groups on the level -and $H$ represents an FMMD hierarchy, -we overload the comparison complexity thus: -%$$ -\begin{equation} - \label{eqn:gf} - CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}). -%$$ -\end{equation} - - -\pagebreak[4] -\subsection{Complexity Comparison Examples} - -The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. -$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ - -Even considering a $fictitious$ system with just 81 components (with these components -having 3 failure modes each) we would have an $CC$ of - -$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ - -Ensuring all component failure modes are checked against all other components in a system --- applying FMEA rigorously -- could be termed -Rigorous FMEA (RFMEA). -The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes). - -This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis -process are by-hand/human activities. It can be seen that it is practically impossible to achieve -RFMEA for anything but trivial systems. -% -% Next statement needs alot of justification -% -It is the authors belief that FMMD reduces the comparison complexity enough to make -rigorous checking feasible. - - -\pagebreak[4] -%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD} - -\begin{figure} - \centering - \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png} - % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385 - \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$} - \label{fig:three_tree} -\end{figure} - - - -\subsection{Comparing FMMD and RFMEA comparison complexity} - -Because components have variable numbers of failure modes, -and {\fgs} have variable numbers of components it is difficult to -use the general formula for comparing the number of checks to make for -RFMEA and FMMD. -If we were to create an example by fixing the number of components in a {\fg} -and the number of failure modes per component, we can derive formulae -to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to -all components in a system. - -Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), -$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and -$L$ to be the number of levels in the hierarchy of an FMMD analysis. -We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy -with equation~\ref{eqn:anscen}. - -\begin{equation} - \label{eqn:anscen} - \sum_{n=0}^{L} {k}^{n}.k.f.(k-1) -\end{equation} - -The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top -- -there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level. -The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ -checked against the remaining components in the {\fg} $(k-1)$. - -If, for the sake of example we fix the number of components in a {\fg} to three and -the number of failure modes per component to three, an FMMD hierarchy -would look like figure~\ref{fig:three_tree}. - -\subsection{Worked Example} - -Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. -Starting at the top, we have a {\fg} with three derived components, each of which has -three failure modes. -Thus the number of checks to make in the top level is $3^0.3.2.3=18$. -On the level below that, we have three {\fgs} each with a -an identical number of checks, $3^1.3.2.3=56$.%{\fg} -On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. -Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} -{\fgs}). - -If we were to take the system represented in figure~\ref{fig:three_tree}, and -apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC}, -$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3 -and $(|G|-1)$ is 26. -This gives: -$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. - -In order to get general equations with which to compare RFMEA with FMMD -we can re-write equation~\ref{eqn:CC} in terms of the number of levels -in an FMMD hierarchy. -% -The number of components in the system, is number of components -in a {\fg} raised to the power of the level plus one. -Thus we re-write equation~\ref{eqn:CC} as: - - -\begin{equation} - \label{eqn:fmea_state_exp21} - \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\ - %(N^2 - N).f -\end{equation} - -or - -\begin{equation} - \label{eqn:fmea_state_exp22} - k^{L+1}.(k^{L+1}-1).f \;. % \\ - %(N^2 - N).f -\end{equation} - -We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$) -the two approaches, for the work required to perform rigorous checking. - - -For instance, having four levels -of FMMD analysis, with these fixed numbers, -%(in addition to the top zeroth level) -will require 81 base level components. - -$$ -%\begin{equation} - \label{eqn:fmea_state_exp22} - 3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\ - %(N^2 - N).f -%\end{equation} -$$ - -$$ -%\begin{equation} - % \label{eqn:anscen} - \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 -%\end{equation} -$$ - -% \subsection{Exponential squared to Exponential} -% -% can I say that ? - -\section{Problems in choosing membership of functional groups} - -\subsection{Side Effects: A Problem for FMMD analysis} -A problem with modularising according to functionality is that we can have component failures that would -intuitively be associated with one {\fg} that may cause unintended side effects in other -{\fgs}. -For instance were we to have a component that on failing $SHORT$ could bring down -a voltage supply rail, this could have drastic consequences for other -functional groups in the system we are examining. - -\pagebreak[3] -\subsubsection{Example de-coupling capacitors in logic circuits} - -A good example of this, are de-coupling capacitors, often used -over the power supply pins of all chips in a digital logic circuit. -Were any of these capacitors to fail $SHORT$ they could bring down -the supply voltage to the other logic chips. - - -To a power-supply, shorted capacitors on the supply rails -are a potential source of the symptom, $SUPPLY\_SHORT$. -In a logic chip/digital circuit {\fg} open capacitors are a potential -source of symptoms caused by the failure mode $INTERFERENCE$. -So we have a `symptom' of the power-supply, and a `failure~mode' of - the logic chip to consider. - -A possible solution to this is to include the de-coupling capacitors -in the power-supply {\fg}. -% decision, could they be included in both places ???? -% I think so - - -Because the capacitor has two potential failure modes (EN298) -this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to -a power-supply module (but there might be additional noise on its output rails). -But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. - -Some logic chips are more susceptible to $INTERFERENCE$ than others. -A logic chip with de-coupling capacitor failing, may operate correctly -but interfere with other chips in the circuit. - -There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. -This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. -This allows functional groups to share components where necessary. -This does not break the modularity of the FMMD technique, because, as {\irl} -one component failure may affect more than one sub-system. -It does uncover a weakness in the FMMD methodology though. -It could be very easy to miss the side effect and include -the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. - - - -\section{Double Simultaneous Failures} - -The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. -However, some critical systems have to consider these type of eventualities. -The burner control industry has to consider double failures, as specified in European Norm -EN298~\cite{en298}. EN298 does not specifically state that -double simultaneous failures must be considered. What it does say is that -in the event of a lockout---a condition where an error has been detected and -the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. -% -This is slightly vague: there are so many possible component failures that could -cause a secondary failure, that it is very difficult not to interpret this -as meaning we have to cater for double simultaneous failures for the most critical sections -of a burner control system. -% -In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel -is not allowed to flow under an error condition. This would of course leave the possibility of -other more complex double failures tricking the controller into thinking the -combustion was actually safe when it was not. -% -It would be impractical to -perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. - -It has been shown that, for all but trivial small systems, double failure mode checking -is impossible from a practical perspective. -FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature -of choosing {\fgs} we will not (in the initial stages) be cross checking all possible -combinations of double failures in all the components. - -The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks -to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. -Consider a system which has four components $c_1 \ldots c_4$. -Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$. -Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$. - -We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group. -For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing -with failure mode $b$. We can express this as $c_2 a \cup c_1 b$. - - -\begin{figure}[h] - \centering - \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png} - % dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330 - \caption{Simultaneous Failure Mode Scenarios} - \label{fig:dubsim1} -\end{figure} - - - -From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined. -How do we model the double failures that occur across the {\fgs}, for instance -$c_4 a \cup c_1 a$. -It could be argued that because functional groups are chosen for their functionality, and re-usability -that component failures in one should not affect a different {\fg}, but this is a weak argument. -Merely double checking within {\fgs} would be marginally better than -only applying it to the most obvious critical elements of a system. - -What is really required is a way that all double simultaneous failures -are checked. - -One way of doing this is to apply double failure mode -checking to all {\fgs} higher up in the hierarchy. - -This guarantees to check the symptoms caused by the -failure modes in the other {\fgs} with the symptoms -derived from the other {\fgs} modelling for double failures. -% -By traversing down the tree we can automatically determine which -double simultaneous combinations have not been resolved. -% -By applying double simultaneous checking until no single failures -canlead to a top level event, we -double failure move coverage. - -To extend the example in figure~\ref{fig:dubsim1} we can map the failure -scenarios. -For Functional Group 1 (FG1), let us map: -\begin{eqnarray*} - FS1 & \mapsto & S1 \\ - FS2 & \mapsto & S3 \\ - FS3 & \mapsto & S1 \\ - FS4 & \mapsto & S2 \\ - FS5 & \mapsto & S2 \\ - FS6 & \mapsto & S3 -\end{eqnarray*} - -Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$. - - -For Functional Group 2 (FG2), let us map: -\begin{eqnarray*} - FS1 & \mapsto & S4 \\ - FS2 & \mapsto & S5 \\ - FS3 & \mapsto & S5 \\ - FS4 & \mapsto & S4 \\ - FS5 & \mapsto & S6 \\ - FS6 & \mapsto & S5 -\end{eqnarray*} - -%This AUTOMATIC check can reveal WHEN double checking no longer necessary -%in the hierarchy to cover dub sum !!!!! YESSSS \section{Example Analysis: Non-Inverting OPAMP} Consider a non inverting op-amp designed to amplify @@ -2198,3 +1619,913 @@ there are more {\dcs} and this increases the possibility of re-use. The more we can modularise, the more we decimate the $O(N^2)$ effect of complexity comparison. + + +\section{PT100 Analysis: Double failures and MTTF statistics} +{ +This section shows a practical example of +one `symptom~abstraction' stage in the FMMD process. +We take a functional group of base components, +and using their failure modes, analyse the circuit +to find failure symptoms. +These failure symptoms are used to define +a derived component. +% +An industry standard temperature measurement circuit, +the PT100 is described and then analysed using the FMMD methodology. +A derived component, representing this circuit is then presented. + + +The PT100, or platinum wire \ohms{100} sensor is +a widely used industrial temperature sensor that is +slowly replacing the use of thermocouples in many +industrial applications below 600\oc, due to high accuracy\cite{aoe}. + +This section looks at the most common configuration, the +four wire circuit, and analyses it from an FMEA perspective twice. +Once considering single faults (cardinality constrained powerset of 1) and then again, considering the +possibility of double faults (cardinality constrained powerset of 2). + +The section is performed using Propositional Logic +diagrams to assist the reasoning process. +This chapter describes taking +the failure modes of the components, analysing the circuit using FMEA +and producing a failure mode model for the circuit as a whole. +Thus after the analysis the PT100 temperature sensing circuit, may be viewed +from an FMEA perspective as a component itself, with a set of known failure modes. +} + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} + % pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{PT100 four wire circuit} + \label{fig:pt100} +\end{figure} + + +\section{General Description of PT100 four wire circuit} + +The PT100 four wire circuit uses two wires to supply small electrical current, +and returns two sense voltages by the other two. +By measuring voltages +from sections of this circuit forming potential dividers, we can determine the +resistance of the platinum wire sensor. The resistance +of this is directly related to temperature, and may be determined by +look-up tables or a suitable polynomial expression. + + +\begin{figure}[h] + \centering + \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} + % pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{PT100 expected voltage ranges} + \label{fig:pt100vrange} +\end{figure} + + +The voltage ranges we expect from this three stage potential divider\footnote{ +two stages are required for validation, a third stage is used to measure the current flowing +through the circuit to obtain accurate temperature readings} +are shown in figure \ref{fig:pt100vrange}. Note that there is +an expected range for each reading, for a given temperature span. +Note that the low reading goes down as temperature increases, and the higher reading goes up. +For this reason the low reading will be referred to as {\em sense-} +and the higher as {\em sense+}. + +\subsection{Accuracy despite variable \\ resistance in cables} + +For electronic and accuracy reasons a four wire circuit is preferred +because of resistance in the cables. Resistance from the supply + causes a slight voltage +drop in the supply to the PT100. As no significant current +is carried by the two `sense' lines, the resistance back to the ADC +causes only a negligible voltage drop, and thus the four wire +configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across +the thermistor and not the voltage across the thermistor and current supply wire resistance.}. + +\subsection{Calculating Temperature from \\ the sense line voltages} + +The current flowing though the +whole circuit can be measured on the PCB by reading a third +sense voltage from one of the load resistors. Knowing the current flowing +through the circuit +and knowing the voltage drop over the PT100, we can calculate its +resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. +Thus a little loss of supply current due to resistance in the cables +does not impinge on accuracy. +The resistance to temperature conversion is achieved +through the published PT100 tables\cite{eurothermtables}. +The standard voltage divider equations (see figure \ref{fig:vd} and +equation \ref{eqn:vd}) can be used to calculate +expected voltages for failure mode and temperature reading purposes. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} + % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 + \caption{Voltage Divider} + \label{fig:vd} +\end{figure} +%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. + +\begin{equation} +\label{eqn:vd} + V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +\end{equation} + +\section{Safety case for 4 wire circuit} + +This sub-section looks at the behaviour of the PT100 four wire circuit +for the effects of component failures. +All components have a set of known `failure modes'. +In other words we know that a given component can fail in several distinct ways. +Studies have been published which list common component types +and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. +Thus for each component, an analysis is made for each of its failure modes, +with respect to its effect on the +circuit. Each one of these scenarios is termed a `test case'. +The resultant circuit behaviour for each of these test cases is noted. +The worst case for this type of +analysis would be a fault that we cannot detect. +Where this occurs a circuit re-design is probably the only sensible course of action. + +\fmodegloss + +\subsection{Single Fault FMEA Analysis \\ of PT100 Four wire circuit} + +\label{fmea} +The PT100 circuit consists of three resistors, two `current~supply' +wires and two `sensor' wires. +Resistors according to the European Standard EN298:2003~\cite{en298}[App.A] +, are considered to fail by either going OPEN or SHORT circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, +and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. +%Should wires become disconnected these will have the same effect as +%given resistors going open. +For the purpose of this analyis; +$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, +$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground. + +We can define the terms `High Fault' and `Low Fault' here, with reference to figure +\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone +in the diagram we can consider this a fault. +Should the reading be above its expected range this is a `High Fault' +and if below a `Low Fault'. + +Table \ref{ptfmea} plays through the scenarios of each of the resistors failing +in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. +The range {0\oc} to {300\oc} will be analysed using potential divider equations to +determine out of range voltage limits in section \ref{ptbounds}. + +\begin{table}[ht] +\caption{PT100 FMEA Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline +$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline + \hline +$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline + $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline +\hline +$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ + $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline +\hline +\end{tabular} +\label{ptfmea} +\end{table} + +From table \ref{ptfmea} it can be seen that any component failure in the circuit +should cause a common symptom, that of one or more of the values being `out of range'. +Temperature range calculations and detailed calculations +on the effects of each test case are found in section \ref{pt100range} +and \ref{pt100temp}. + +%\paragraph{Consideration of Resistor Tolerance} +% +%The separate sense lines ensure the voltage read over the PT100 thermistor are not +%altered due to having to pass any significant current. +%The PT100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +%One or other of the load resistors (the one we measure current over) should also +%be of this accuracy. +% +%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient +%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to +%a narrow temperature range anyway, being mounted on a PCB. +%\glossary{{PCB}{Printed Circuit Board}} +%To calculate the resistance of the PT100 element % (and thus derive its temperature), +%having the voltage over it, we now need the current. +%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. +%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). +%We can calculate the current by reading +%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the PT100 we need the current flowing though it. +%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} +%As these calculations are performed by ohms law, which is linear, the accuracy of the reading +%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +%take the mean square error of these accuracy figures. + +\subsection{Range and PT100 Calculations} +\label{pt100temp} +PT100 resistors are designed to +have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. +A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} +for a given application. +According to the Eurotherm PT100 +tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} +and \ohms{212.02} respectively. From this the potential divider circuit can be +analysed and the maximum and minimum acceptable voltages determined. +These can be used as bounds results to apply the findings from the +PT100 FMEA analysis in section \ref{fmea}. + +As the PT100 forms a potential divider with the \ohms{2k2} load resistors, +the upper and lower readings can be calculated thus: + + +$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$ +So by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds we can be confident that none of the +resistors in this circuit has failed. + +To convert these to twelve bit ADC (\adctw) counts: + +$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$ + + +\begin{table}[ht] +\caption{PT100 Maximum and Minimum Values} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|c|l|l||} +\hline \hline + \textbf{Temperature} & \textbf{PT100 resistance} & +\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ +\hline +% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ +% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline + {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ + & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline + {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ + & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline +\hline +\end{tabular} +\label{ptbounds} +\end{table} + +Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that +for any single error (short or opening of any resistor) this bounds check +will detect it. + + + +\paragraph{Consideration of Resistor Tolerance.} +% +The separate sense lines ensure the voltage read over the PT100 thermistor is not +altered by to having to pass any significant current. The current is supplied +by separate wires and the resistance in those are effectively cancelled +out by considering the voltage reading over $R_3$ to be relative. +% +The PT100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +One or other of the load resistors (the one we measure current over) should +be of a specified accuracy. +% +The \ohms{2k2} loading resistors should have a good temperature co-effecient +(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). +% +To calculate the resistance of the PT100 element % (and thus derive its temperature), +knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. +% +Lets use, for the sake of example $R_2$ to measure the current. +% +We can calculate the current $I$, by reading +the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the PT100 we need the current flowing though it. +We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate +the resistance of $R_3$. +% +As ohms law is linear, the accuracy of the reading +will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +take the mean square error of these accuracy figures. + + +\section{Single Fault FMEA Analysis \\ of PT100 Four wire circuit} + +\subsection{Single Fault Modes as PLD} + +The component~failure~modes in table \ref{ptfmea} can be represented as contours +on a PLD diagram. +Each test case, is defined by the contours that enclose +it. The test cases here deal with single faults only +and are thus enclosed by one contour each. + + +\fmodegloss + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc.png} + % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{PT100 Component Failure Modes} + \label{fig:pt100_tc} +\end{figure} + +%ating input Fault +This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. +To establish the valid voltage ranges for these, and knowing our +valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate +valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} +for the circuit shown in figure \ref{fig:vd}. + +% +%\begin{figure}[h] +% \centering +% \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./pt100/voltage_divider.png} +% % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 +% \caption{Voltage Divider} +% \label{fig:vd} +%\end{figure} +%%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. +% +%\begin{equation} +%\label{eqn:vd} +% V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +%\end{equation} +% + + +\subsection{Proof of Out of Range \\ Values for Failures} +\label{pt110range} +Using the temperature ranges defined above we can compare the voltages +we would get from the resistor failures to prove that they are +`out of range'. There are six test cases and each will be examined in turn. + +\subsubsection{ TC 1 : Voltages $R_1$ SHORT } +With pt100 at 0\oc +$$ highreading = 5V $$ +Since the highreading or sense+ is directly connected to the 5V rail, +both temperature readings will be 5V.. +$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ +With pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V $$ +$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ + +Thus with $R_1$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\subsubsection{ TC 2 : Voltages $R_1$ OPEN } + +In this case the 5V rail is disconnected. All voltages read are 0V, and +therefore both readings are outside the +proscribed range in table \ref{ptbounds}. + + +\subsubsection{ TC 3 : Voltages $R_2$ SHORT } + +With pt100 at 0\oc +$$ lowreading = 0V $$ +Since the lowreading or sense- is directly connected to the 0V rail, +both temperature readings will be 0V. +$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ +With pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ + +Thus with $R_2$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\subsubsection{ TC 4 : Voltages $R_2$ OPEN } +Here there is no potential divider operating and both sense lines +will read 5V, outside of the proscribed range. + + +\subsubsection{ TC 5 : Voltages $R_3$ SHORT } + +Here the potential divider is simply between +the two 2k2 load resistors. Thus it will read a nominal; +2.5V. + +Assuming the load resistors are +precision components, and then taking an absolute worst case of 1\% either way. + +$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ + +$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ + +These readings both lie outside the proscribed range. +Also the sense+ and sense- readings would have the same value. + +\subsubsection{ TC 6 : Voltages $R_3$ OPEN } + +Here the potential divider is broken. The sense- will read 0V and the sense+ will +read 5V. Both readings are outside the proscribed range. + +\subsection{Summary of Analysis} + +All six test cases have been analysed and the results agree with the hypothesis +put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the +symptoms. In this case there is a common and easily detected symptom for all these single +resistor faults : Voltage out of range. + +A spider can be drawn on the PLD diagram to this effect. + +In practical use, by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds we can be confident that none of the +resistors in this circuit has failed. + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc_sp.png} + % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{PT100 Component Failure Modes} + \label{fig:pt100_tc_sp} +\end{figure} + + +\subsection{Derived Component : The PT100 Circuit} +The PT100 circuit can now be treated as a component in its own right, and has one failure mode, +{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_singlef.png} + % pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{PT100 Circuit Failure Modes : From Single Faults Analysis} + \label{fig:pt100_singlef} +\end{figure} + + +%From the single faults (cardinality constrained powerset of 1) analysis, we can now create +%a new derived component, the {\empt100circuit}. This has only \{ OUT\_OF\_RANGE \} +%as its single failure mode. + + +%Interestingly we can calculate the failure statistics for this circuit now. +%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ??? +\clearpage +\subsection{Mean Time to Failure} + +Now that we have a model for the failure mode behaviour of the pt100 circuit +we can look at the statistics associated with each of the failure modes. + +The DOD electronic reliability of components +document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating +the +%$\frac{failures}{{10}^6}$ +${failures}/{{10}^6}$ % looks better +in hours for a wide range of generic components +\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F +can give conservative reliability figures when applied to +modern components}. + +Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor +failure statistics we calculate the reliability of this circuit. + + +\subsubsection{Resistor FIT Calculations} + +The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor +is reproduced in equation \ref{resistorfit}. The meanings +and values assigned to its co-efficients are described in table \ref{tab:resistor}. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + +\fmodegloss + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E + \label{resistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Fixed film resistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:resistor} +\end{table} + +Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} +give the following failures in ${10}^6$ hours: + +\begin{equation} + 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} + \label{eqn:resistor} +\end{equation} + +While MIL-HDBK-217F gives MTTF for a wide range of common components, +it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. +%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. +% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 +This example +compromises and uses a 90:10 ratio, for resistor failure. +Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED +in the other 10\%. +A standard fixed film resistor, for use in a benign environment, non military spec at +temperatures up to 60\oc is given a probability of 13.8 failures per billion ($10^9$) +hours of operation (see equation \ref{eqn:resistor}). +This figure is referred to as a FIT\footnote{FIT values are measured as the number of +failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the +FIT number the more reliable the fault~mode} Failure in time. + +The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in +equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E + \label{thermistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Bead type Thermistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:thermistor} +\end{table} + + +\begin{equation} + 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} + \label{eqn:thermistor} +\end{equation} + + +Thus thermistor, bead type, non military spec is given a FIT of 315.0 + +Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), +showing the FIT values for all faults considered. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\begin{table}[h+] +\caption{PT100 FMEA Single // Fault Statistics} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ +% R & wire & res + & res - & description +\hline +\hline +TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline +TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline + \hline +TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline +TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline +\hline +TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ +TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline +\hline +\end{tabular} +\label{tab:stat_single} +\end{table} + +The FIT for the circuit as a whole is the sum of MTTF values for all the +test cases. The PT100 circuit here has a FIT of 342.6. This is a MTTF of +about 360 years per circuit. + +A Probablistic tree can now be drawn, with a FIT value for the PT100 +circuit and FIT values for all the component fault modes that it was calculated from. +We can see from this that that the most likely fault is the thermistor going OPEN. +This circuit is around 10 times more likely to fail in this way than in any other. +Were we to need a more reliable temperature sensor this would probably +be the fault~mode we would scrutinise first. + + +\begin{figure}[h+] + \centering + \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} + % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 + \caption{Probablistic Fault Tree : PT100 Single Faults} + \label{fig:stat_single} +\end{figure} + + +The PT100 analysis presents a simple result for single faults. +The next analysis phase looks at how the circuit will behave under double simultaneous failure +conditions. + +\clearpage +\section{ PT100 Double Simultaneous \\ Fault Analysis} + +In this section we examine the failure mode behaviour for all single +faults and double simultaneous faults. +This corresponds to the cardinality constrained powerset of +the failure modes in the functional group. +All the single faults have already been proved in the last section. +For the next set of test cases, let us again hypothesise +the failure modes, and then examine each one in detail with +potential divider equation proofs. + +Table \ref{tab:ptfmea2} lists all the combinations of double +faults and then hypothesises how the functional~group will react +under those conditions. + +\begin{table}[ht] +\caption{PT100 FMEA Double Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|l|c|c|l|l||} +\hline \hline + \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline + TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline +\hline + TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline + TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline +\hline + + TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline +TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline +\hline + TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline + +\hline + TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline +TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline +TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline +\hline +\end{tabular} +\label{tab:ptfmea2} +\end{table} + +\subsection{Verifying complete coverage for a \\ cardinality constrained powerset of 2} + +\fmodegloss + + +It is important to check that we have covered all possible double fault combinations. +We can use the equation \ref{eqn:correctedccps2} +\ifthenelse {\boolean{paper}} +{ +from the definitions paper +\ref{pap:compdef} +, +reproduced below to verify this. + +\indent{ + where: + \begin{itemize} + \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. + \item The indexed set $C_j$ represents all components in set $SU$. + \item The function $FM$ takes a component as an argument and returns its set of failure modes. + \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. + \end{itemize} +} +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + \label{eqn:correctedccps2} +\end{equation} + +} +{ +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + %\label{eqn:correctedccps2} +\end{equation} +} + + +$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. + +% +% Factorial of zero is one ! You can only arrange an empty set one way ! + +Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. +%is always 2 for this circuit, as all the components are resistors and have two failure modes. + +\begin{equation} + |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} +- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } + %\label{eqn:correctedccps2} +\end{equation} + +$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check +under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). + +Expanding the sumations + + +$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ + +$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ + +As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double) +we can be confident that we have looked at all `double combinations', of the possible faults +in the pt100 circuit. The next task is to investigate +these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. + + +\subsection{Proof of Double Faults Hypothesis } + +\subsubsection{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } +\label{pt100:bothfloating} +This double fault mode produces an interesting symptom. +Both sense lines are floating. +We cannot know what the {\adctw} readings on them will be. +In practise these would probably float to low values +but for the purpose of a safety critical analysis +all we can say is the values are `floating' and `unknown'. +This is an interesting case, because it is, at this stage an undetectable +fault that must be handled. + + +\subsubsection{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } + +This cuts the supply from Vcc. Both sense lines will be at zero. +Thus both values will be out of range. + + +\subsubsection{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } + +Sense- will be floating. +Sense+ will be tied to Vcc and will thus be out of range. + +\subsubsection{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } + +This shorts ground to the +both of the sense lines. +Both values thuis out of range. + +\subsubsection{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } + +This shorts both sense lines to Vcc. +Both values will be out of range. + + +\subsubsection{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + + + + + + + + + +\subsubsection{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + +\subsubsection{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\subsubsection{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } + +This shorts the sense+ to Vcc and causes sense- to float. +The sense+ value will be out of range. + + +\subsubsection{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + + + + + +\subsubsection{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } + +This shorts the sense- to Ground. +The sense- value will be out of range. + + +\subsubsection{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\clearpage +\subsection{Double Faults Represented on a PLD Diagram} + +We can show the test cases on a diagram with the double faults residing on regions +corresponding to overlapping contours see figure \ref{fig:plddouble}. +Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{PT100 Double Simultaneous Faults} + \label{fig:plddouble} +\end{figure} + +We use equation \ref{eqn:correctedccps2} to verify complete coverage for +a given cardinality constraint is not visually obvious. +% +From the diagram it is easy to verify +the number of failure modes considered for each test case, but +not that all for a given cardinality constraint have been included. + +\subsubsection{Symptom Extraction} + +We can now examine the results of the test case analysis and apply symptom abstraction. +In all the test case results we have at least one out of range value, except for +$TC\_7$ +which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, +into the symptom $OUT\_OF\_RANGE$. +As a symptom $TC\_7$ could be described as $FLOATING$. We can thus draw a PLD diagram representing the +failure modes of this functional~group, the pt100 circuit from the perspective of double simultaneous failures, +in figure \ref{fig:pt100_doublef}. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{PT100 Double Simultaneous Faults} + \label{fig:plddoublesymptom} +\end{figure} + + +\clearpage +\subsection{Derived Component : The PT100 Circuit} +The PT100 circuit again, can now be treated as a component in its own right, and has two failure modes, +{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. +It can now be represented as a PLD see figure \ref{fig:pt100_doublef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_doublef.png} + % pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{PT100 Circuit Failure Modes : From Double Faults Analysis} + \label{fig:pt100_doublef} +\end{figure} + +\subsection{Statistics} + +%% +%% Need to talk abou the `detection time' +%% or `Safety Relevant Validation Time' ref can book +%% EN61508 gives detection calculations to reduce +%% statistical impacts of failures. +%% + +If we consider the failure modes to be statistically independent we can calculate +the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition +requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF +together and find an MTTF for both failing. The FIT value of 12.42 corresponds to +$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. +This is an astronomically small MTTF, and so small that it would +probably fall below a threshold to sensibly consider. +However, it is very interesting from a failure analysis perspective, +because here we have found a fault that we cannot detect at this +level. This means that should we wish to cope with +this fault, we need to devise a way of detecting this +condition in higher levels of the system. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\vspace{20pt} + +%typeset in {\Huge \LaTeX} \today diff --git a/submission_thesis/CH5_Examples/plddouble.dia b/submission_thesis/CH5_Examples/plddouble.dia new file mode 100644 index 0000000..5b11cc5 Binary files /dev/null and b/submission_thesis/CH5_Examples/plddouble.dia differ diff --git a/submission_thesis/CH5_Examples/plddoublesymptom.dia b/submission_thesis/CH5_Examples/plddoublesymptom.dia new file mode 100644 index 0000000..157cc94 Binary files /dev/null and b/submission_thesis/CH5_Examples/plddoublesymptom.dia differ diff --git a/submission_thesis/CH5_Examples/pt100.dia b/submission_thesis/CH5_Examples/pt100.dia new file mode 100644 index 0000000..c151050 Binary files /dev/null and b/submission_thesis/CH5_Examples/pt100.dia differ diff --git a/submission_thesis/CH5_Examples/pt100_doublef.dia b/submission_thesis/CH5_Examples/pt100_doublef.dia new file mode 100644 index 0000000..2f65a34 Binary files /dev/null and b/submission_thesis/CH5_Examples/pt100_doublef.dia differ diff --git a/submission_thesis/CH5_Examples/pt100_singlef.dia b/submission_thesis/CH5_Examples/pt100_singlef.dia new file mode 100644 index 0000000..3aef3d5 Binary files /dev/null and b/submission_thesis/CH5_Examples/pt100_singlef.dia differ diff --git a/submission_thesis/CH5_Examples/pt100_tc.dia b/submission_thesis/CH5_Examples/pt100_tc.dia new file mode 100644 index 0000000..1598785 Binary files /dev/null and b/submission_thesis/CH5_Examples/pt100_tc.dia differ diff --git a/submission_thesis/CH5_Examples/pt100_tc_sp.dia b/submission_thesis/CH5_Examples/pt100_tc_sp.dia new file mode 100644 index 0000000..50e022f Binary files /dev/null and b/submission_thesis/CH5_Examples/pt100_tc_sp.dia differ diff --git a/submission_thesis/CH5_Examples/stat_single.dia b/submission_thesis/CH5_Examples/stat_single.dia new file mode 100644 index 0000000..99a2af3 Binary files /dev/null and b/submission_thesis/CH5_Examples/stat_single.dia differ diff --git a/submission_thesis/CH5_Examples/voltage_divider.png b/submission_thesis/CH5_Examples/voltage_divider.png new file mode 100644 index 0000000..a9d32a5 Binary files /dev/null and b/submission_thesis/CH5_Examples/voltage_divider.png differ diff --git a/submission_thesis/CH5_Examples/vrange.dia b/submission_thesis/CH5_Examples/vrange.dia new file mode 100644 index 0000000..e564196 Binary files /dev/null and b/submission_thesis/CH5_Examples/vrange.dia differ