From 8faade65ce4cbc2c75eb6a9c50b85711d4024557 Mon Sep 17 00:00:00 2001 From: robin Date: Mon, 26 Mar 2012 20:01:01 +0100 Subject: [PATCH] Put PT100 into the submission thesis --- submission_thesis/CH4_FMMD/copy.tex | 581 +++++++ submission_thesis/CH5_Examples/Makefile | 10 +- submission_thesis/CH5_Examples/copy.tex | 1489 ++++++++++------- submission_thesis/CH5_Examples/plddouble.dia | Bin 0 -> 2347 bytes .../CH5_Examples/plddoublesymptom.dia | Bin 0 -> 3437 bytes submission_thesis/CH5_Examples/pt100.dia | Bin 0 -> 3099 bytes .../CH5_Examples/pt100_doublef.dia | Bin 0 -> 861 bytes .../CH5_Examples/pt100_singlef.dia | Bin 0 -> 766 bytes submission_thesis/CH5_Examples/pt100_tc.dia | Bin 0 -> 1488 bytes .../CH5_Examples/pt100_tc_sp.dia | Bin 0 -> 2002 bytes .../CH5_Examples/stat_single.dia | Bin 0 -> 2322 bytes .../CH5_Examples/voltage_divider.png | Bin 0 -> 2540 bytes submission_thesis/CH5_Examples/vrange.dia | Bin 0 -> 1871 bytes 13 files changed, 1500 insertions(+), 580 deletions(-) create mode 100644 submission_thesis/CH5_Examples/plddouble.dia create mode 100644 submission_thesis/CH5_Examples/plddoublesymptom.dia create mode 100644 submission_thesis/CH5_Examples/pt100.dia create mode 100644 submission_thesis/CH5_Examples/pt100_doublef.dia create mode 100644 submission_thesis/CH5_Examples/pt100_singlef.dia create mode 100644 submission_thesis/CH5_Examples/pt100_tc.dia create mode 100644 submission_thesis/CH5_Examples/pt100_tc_sp.dia create mode 100644 submission_thesis/CH5_Examples/stat_single.dia create mode 100644 submission_thesis/CH5_Examples/voltage_divider.png create mode 100644 submission_thesis/CH5_Examples/vrange.dia diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 19c375f..e2aaa78 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -1,5 +1,586 @@ \section{Copy dot tex} + + +\subsection{An algebraic notation for identifying FMMD enitities} +Consider all `components' to exist as +members of a set $\mathcal{C}$. +% +Each component $c$ has an associated set of failure modes. +We can define a function $fm$ that returns a +set of failure modes $F$, for the component $c$. + +Let the set of all possible components be $\mathcal{C}$ +and let the set of all possible failure modes be $\mathcal{F}$. + +We now define the function $fm$ +as +\begin{equation} +\label{eqn:fm} +fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} +This is defined by, where $c$ is a component and $F$ is a set of failure modes, +$ fm ( c ) = F. $ + +We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection +of components. +%We thus define $FG$ as a set of chosen components defining +%a {\fg}; all functional groups +We can state that +{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ + +We can overload the $fm$ function for a functional group {\FG} +where it will return all the failure modes of the components in {\FG} + + +given by + +$$ fm ({\FG}) = F. $$ + +Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, + +\begin{equation} +fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. +\end{equation} + + +%$$ \mathcal{fm}(C) \rightarrow S $$ +%$$ {fm}(C) \rightarrow S $$ +\paragraph{Abstraction Levels of {\fgs} and {\dcs}} + + +\label{sec:indexsub} +We can indicate the abstraction level of a component by using a superscript. +Thus for the component $c$, where it is a `base component' we can assign it +the abstraction level zero, $c^0$. Should we wish to index the components +(for example as in a product parts-list) we can use a sub-script. +Our base component (if first in the parts-list) could now be uniquely identified as +$c^0_1$. + +We can further define the abstraction level of a {\fg}. +We can say that it is the maximum abstraction level of any of its +components. Thus a functional group containing only base components +would have an abstraction level zero and could be represented with a superscript of zero thus +`${\FG}^0$'. % The functional group set may also be indexed. + +We can apply symptom abstraction to a {\fg} to find +its symptoms. +%We are interested in the failure modes +%of all the components in the {\fg}. An analysis process +We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}. +% +The $\bowtie$ function takes a {\fg} +as an argument and returns a newly created {\dc}. +% +%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. +The symptom abstraction process must always raise the abstraction level +for the newly created {\dc}. +Using $\abslevel$ to symbolise the fault abstraction level, we can now state: + +$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ + +\paragraph{Functional Groups may be indexed} +We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) +we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. +For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. + +\paragraph{The symptom abstraction process in outline.} +The $\bowtie$ function processes each component in the {\fg} and +extracts all the component failure modes. +With all the failure modes, an analyst can +determine how each failure mode will affect the {\fg}, and then collect common symptoms. +A new {\dc} is created +where its failure modes, are the symptoms from {\fg}. +Note that the component must have a higher abstraction level than the {\fg} +it was derived from. + + +\paragraph{Surjective constraint applied to symptom collection.} +We can stipulate that symptom collection process is surjective. +% i.e. $ \forall f in F $ +By stipulating surjection for symptom collection, we ensure +that each component failure mode maps to at least one symptom. +We also ensure that all symptoms have at least one component failure +mode (i.e. one or more failure modes that caused it). +% + +\subsection{FMMD Hierarchy} + +By applying stages of analysis to higher and higher abstraction +levels, we can converge to a complete failure mode model of the system under analysis. +Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) +the number of symptoms is guaranteed to be less than or equal to +the number of component failure modes. + +In practise however, the number of symptoms greatly reduces as we traverse +up the hierarchy. +This is a natural process. When we have complicated systems +they always have a small number of system failure modes in comparison to +the number of failure modes in its sub-systems/components.. + + +\section{Examples of Derived Component like concepts in safety literature} + +Idea stage on this section, integrated circuits and some compond parts (like digital resistors) +are treated like base components. i.e. this sets a precedent for {\dcs}. + +\begin{itemize} + \item Look at OPAMP circuits, pick one (say $\mu$741) + \item Digital transistor perhaps, inside two resistors and a transistor. + \item outline a proposed FMMD analysis + \item Show FMD-91 OPAMP failure modes -- compare with FMMD +\end{itemize} + +The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors +(and for some types of resistors OPEN only). +FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. +Now a resistor will generally only suffer parameter change when over stressed. +EN298 stipulates down rating by 60\% to maximum stress +possible in a circuit. So even if you have a resistor that preliminary tells you would +never be subjected to say more than 5V, but there is say, a 24V rail +on the circuit, you have to choose resistors able to cope with the 24V +stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum +voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. +Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. + +\clearpage +Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. + + +\subsection{{\fgs} Sharing components and Hierarchy} + +With electronics we need to follow the signal path to make sense of failure modes +effects on other parts of the circuit further down that path. +%{\fgs} will naturally have to be in the position of starter +A power-supply is naturally first in a signal path (or failure reasoning path). +That is to say, if the power-supply is faulty, its failure modes are likely to affect +the {\fgs} that have to use it. + +This means that most electronic components should be placed higher in an FMMD +hierarchy than the power-supply. +A shorted de-coupling capactitor caused a `symptom' of the power-supply, +and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. +% to consider. + +If components can be shared between functional groups, this means that components +must be shareable between {\fgs} at different levels in the FMMD hierarchy. +This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown +in figure~\ref{fig:shared_component}. + +\begin{figure} + \centering + \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} + % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 + \caption{Optionally shared Component} + \label{fig:shared_component} +\end{figure} + +\subsection{Hierarchy and structure} +By having this structure, the logic circuit element, can accept failure modes from the +power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. +Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. +But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. + +\pagebreak[4] +\section{Defining the concept of `comparison~complexity' in FMEA} + +% +% DOMAIN == INPUTS +% RANGE == OUTPUTS +% + +When performing FMEA we have a system under investigation, which will +comprise of a collection of components which have associated failure modes. +The object of FMEA is to determine cause and effect: +from the failure modes (the causes) to the effects (or symptoms of failure). +% +To perform FMEA rigorously +we could stipulate that every failure mode must be checked for effects +against all the components in the system. +We could term this `rigorous~FMEA'~(RFMEA). +The number of checks we have to make to achieve this gives an indication of the complexity of the task. +% +We could term this `comparison~complexity', as it is the number of +paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. + + +% (except its self of course, that component is already considered to be in a failed state!). +% +Obviously, for a small number of components and failure modes we have a smaller number +of checks to make than for a complicated larger system. +% +We can consider the system as a large {\fg} of components. +We represent the number of components in the {\fg} $G$, by +$ | G | $ +(an indexing and sub-scripting notation to identify particular {\fgs} +within an FMMD hierarchy is given in section~\ref{sec:indexsub}). + +The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). +We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ + +If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express +the number of checks required to rigorously examine every +failure mode against all the other components in the system. +We can define this as a function, Comparison Complexity, $CC$, with its domain as the system +or {\fg}, $\FG$, and +its range as the number of checks to perform to satisfy a rigorous FMEA inspection. + +Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, +\begin{equation} +%$$ + CC:\mathcal{\FG} \rightarrow \mathbb{N}, +%$$ +\end{equation} + +and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes +in component ${c_i}$, is given by + +\begin{equation} +\label{eqn:CC} +%$$ + %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) + CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i). +%$$ +\end{equation} + +This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$); +equation~\ref{eqn:CC} becomes + +%$$ +\begin{equation} +\label{eqn:rd2} + CC(\FG) = K.(|\FG|-1). +\end{equation} +%$$ +%Equation~\ref{eqn:rd} can also be expressed as +% +% \begin{equation} +% \label{eqn:rd2} +% %$$ +% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} . +% %$$ +% \end{equation} +\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy} + +An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy. +In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to +all {\fgs} on each level. + +We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), +defined by + +\begin{equation} +%$$ +g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . +%$$ +\end{equation} + +Where $L$ represents the number of levels in the FMMD hierarchy, +$|g(\xi)|$ represents the number of functional groups on the level +and $H$ represents an FMMD hierarchy, +we overload the comparison complexity thus: +%$$ +\begin{equation} + \label{eqn:gf} + CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}). +%$$ +\end{equation} + + +\pagebreak[4] +\subsection{Complexity Comparison Examples} + +The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. +$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ + +Even considering a $fictitious$ system with just 81 components (with these components +having 3 failure modes each) we would have an $CC$ of + +$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ + +Ensuring all component failure modes are checked against all other components in a system +-- applying FMEA rigorously -- could be termed +Rigorous FMEA (RFMEA). +The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes). + +This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis +process are by-hand/human activities. It can be seen that it is practically impossible to achieve +RFMEA for anything but trivial systems. +% +% Next statement needs alot of justification +% +It is the authors belief that FMMD reduces the comparison complexity enough to make +rigorous checking feasible. + + +\pagebreak[4] +%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD} + +\begin{figure} + \centering + \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png} + % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385 + \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$} + \label{fig:three_tree} +\end{figure} + + + +\subsection{Comparing FMMD and RFMEA comparison complexity} + +Because components have variable numbers of failure modes, +and {\fgs} have variable numbers of components it is difficult to +use the general formula for comparing the number of checks to make for +RFMEA and FMMD. +If we were to create an example by fixing the number of components in a {\fg} +and the number of failure modes per component, we can derive formulae +to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to +all components in a system. + +Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), +$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and +$L$ to be the number of levels in the hierarchy of an FMMD analysis. +We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy +with equation~\ref{eqn:anscen}. + +\begin{equation} + \label{eqn:anscen} + \sum_{n=0}^{L} {k}^{n}.k.f.(k-1) +\end{equation} + +The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top -- +there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level. +The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ +checked against the remaining components in the {\fg} $(k-1)$. + +If, for the sake of example we fix the number of components in a {\fg} to three and +the number of failure modes per component to three, an FMMD hierarchy +would look like figure~\ref{fig:three_tree}. + +\subsection{Worked Example} + +Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. +Starting at the top, we have a {\fg} with three derived components, each of which has +three failure modes. +Thus the number of checks to make in the top level is $3^0.3.2.3=18$. +On the level below that, we have three {\fgs} each with a +an identical number of checks, $3^1.3.2.3=56$.%{\fg} +On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. +Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} +{\fgs}). + +If we were to take the system represented in figure~\ref{fig:three_tree}, and +apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC}, +$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3 +and $(|G|-1)$ is 26. +This gives: +$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. + +In order to get general equations with which to compare RFMEA with FMMD +we can re-write equation~\ref{eqn:CC} in terms of the number of levels +in an FMMD hierarchy. +% +The number of components in the system, is number of components +in a {\fg} raised to the power of the level plus one. +Thus we re-write equation~\ref{eqn:CC} as: + + +\begin{equation} + \label{eqn:fmea_state_exp21} + \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\ + %(N^2 - N).f +\end{equation} + +or + +\begin{equation} + \label{eqn:fmea_state_exp22} + k^{L+1}.(k^{L+1}-1).f \;. % \\ + %(N^2 - N).f +\end{equation} + +We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$) +the two approaches, for the work required to perform rigorous checking. + + +For instance, having four levels +of FMMD analysis, with these fixed numbers, +%(in addition to the top zeroth level) +will require 81 base level components. + +$$ +%\begin{equation} + \label{eqn:fmea_state_exp22} + 3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\ + %(N^2 - N).f +%\end{equation} +$$ + +$$ +%\begin{equation} + % \label{eqn:anscen} + \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 +%\end{equation} +$$ + +% \subsection{Exponential squared to Exponential} +% +% can I say that ? + +\section{Problems in choosing membership of functional groups} + +\subsection{Side Effects: A Problem for FMMD analysis} +A problem with modularising according to functionality is that we can have component failures that would +intuitively be associated with one {\fg} that may cause unintended side effects in other +{\fgs}. +For instance were we to have a component that on failing $SHORT$ could bring down +a voltage supply rail, this could have drastic consequences for other +functional groups in the system we are examining. + +\pagebreak[3] +\subsubsection{Example de-coupling capacitors in logic circuits} + +A good example of this, are de-coupling capacitors, often used +over the power supply pins of all chips in a digital logic circuit. +Were any of these capacitors to fail $SHORT$ they could bring down +the supply voltage to the other logic chips. + + +To a power-supply, shorted capacitors on the supply rails +are a potential source of the symptom, $SUPPLY\_SHORT$. +In a logic chip/digital circuit {\fg} open capacitors are a potential +source of symptoms caused by the failure mode $INTERFERENCE$. +So we have a `symptom' of the power-supply, and a `failure~mode' of + the logic chip to consider. + +A possible solution to this is to include the de-coupling capacitors +in the power-supply {\fg}. +% decision, could they be included in both places ???? +% I think so + + +Because the capacitor has two potential failure modes (EN298) +this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to +a power-supply module (but there might be additional noise on its output rails). +But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. + +Some logic chips are more susceptible to $INTERFERENCE$ than others. +A logic chip with de-coupling capacitor failing, may operate correctly +but interfere with other chips in the circuit. + +There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. +This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. +This allows functional groups to share components where necessary. +This does not break the modularity of the FMMD technique, because, as {\irl} +one component failure may affect more than one sub-system. +It does uncover a weakness in the FMMD methodology though. +It could be very easy to miss the side effect and include +the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. + + + +\section{Double Simultaneous Failures} + +The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. +However, some critical systems have to consider these type of eventualities. +The burner control industry has to consider double failures, as specified in European Norm +EN298~\cite{en298}. EN298 does not specifically state that +double simultaneous failures must be considered. What it does say is that +in the event of a lockout---a condition where an error has been detected and +the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. +% +This is slightly vague: there are so many possible component failures that could +cause a secondary failure, that it is very difficult not to interpret this +as meaning we have to cater for double simultaneous failures for the most critical sections +of a burner control system. +% +In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel +is not allowed to flow under an error condition. This would of course leave the possibility of +other more complex double failures tricking the controller into thinking the +combustion was actually safe when it was not. +% +It would be impractical to +perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. + +It has been shown that, for all but trivial small systems, double failure mode checking +is impossible from a practical perspective. +FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature +of choosing {\fgs} we will not (in the initial stages) be cross checking all possible +combinations of double failures in all the components. + +The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks +to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. +Consider a system which has four components $c_1 \ldots c_4$. +Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$. +Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$. + +We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group. +For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing +with failure mode $b$. We can express this as $c_2 a \cup c_1 b$. + + +\begin{figure}[h] + \centering + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png} + % dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330 + \caption{Simultaneous Failure Mode Scenarios} + \label{fig:dubsim1} +\end{figure} + + + +From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined. +How do we model the double failures that occur across the {\fgs}, for instance +$c_4 a \cup c_1 a$. +It could be argued that because functional groups are chosen for their functionality, and re-usability +that component failures in one should not affect a different {\fg}, but this is a weak argument. +Merely double checking within {\fgs} would be marginally better than +only applying it to the most obvious critical elements of a system. + +What is really required is a way that all double simultaneous failures +are checked. + +One way of doing this is to apply double failure mode +checking to all {\fgs} higher up in the hierarchy. + +This guarantees to check the symptoms caused by the +failure modes in the other {\fgs} with the symptoms +derived from the other {\fgs} modelling for double failures. +% +By traversing down the tree we can automatically determine which +double simultaneous combinations have not been resolved. +% +By applying double simultaneous checking until no single failures +canlead to a top level event, we +double failure move coverage. + +To extend the example in figure~\ref{fig:dubsim1} we can map the failure +scenarios. +For Functional Group 1 (FG1), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S1 \\ + FS2 & \mapsto & S3 \\ + FS3 & \mapsto & S1 \\ + FS4 & \mapsto & S2 \\ + FS5 & \mapsto & S2 \\ + FS6 & \mapsto & S3 +\end{eqnarray*} + +Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$. + + +For Functional Group 2 (FG2), let us map: +\begin{eqnarray*} + FS1 & \mapsto & S4 \\ + FS2 & \mapsto & S5 \\ + FS3 & \mapsto & S5 \\ + FS4 & \mapsto & S4 \\ + FS5 & \mapsto & S6 \\ + FS6 & \mapsto & S5 +\end{eqnarray*} + +%This AUTOMATIC check can reveal WHEN double checking no longer necessary +%in the hierarchy to cover dub sum !!!!! YESSSS sample text sample text sample text diff --git a/submission_thesis/CH5_Examples/Makefile b/submission_thesis/CH5_Examples/Makefile index cd64751..9c17cc5 100644 --- a/submission_thesis/CH5_Examples/Makefile +++ b/submission_thesis/CH5_Examples/Makefile @@ -1,6 +1,14 @@ -PNG_DIA = circuit1_dag.png mvampcircuit.png pd.png invamp.png shared_component.png tree_abstraction_levels.png three_tree.png blockdiagramcircuit2.png circuit2h.png bubba_oscillator_block_diagram.png dubsim1.png poss1finalbubba.png poss2finalbubba.png +PNG_DIA = blockdiagramcircuit2.png bubba_oscillator_block_diagram.png circuit1_dag.png circuit2h.png \ + dubsim1.png invamp.png mvampcircuit.png pd.png plddouble.png plddoublesymptom.png \ + poss1finalbubba.png poss2finalbubba.png pt100.png pt100_doublef.png pt100_singlef.png \ + pt100_tc.png pt100_tc_sp.png shared_component.png stat_single.png three_tree.png \ + tree_abstraction_levels.png vrange.png + + + +%= circuit1_dag.png mvampcircuit.png pd.png invamp.png shared_component.png tree_abstraction_levels.png three_tree.png blockdiagramcircuit2.png circuit2h.png bubba_oscillator_block_diagram.png dubsim1.png poss1finalbubba.png poss2finalbubba.png diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index f1d1580..16721ea 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -448,585 +448,6 @@ Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creati is shown as a `$\bowtie$' symbol. -\subsection{An algebraic notation for identifying FMMD enitities} -Consider all `components' to exist as -members of a set $\mathcal{C}$. -% -Each component $c$ has an associated set of failure modes. -We can define a function $fm$ that returns a -set of failure modes $F$, for the component $c$. - -Let the set of all possible components be $\mathcal{C}$ -and let the set of all possible failure modes be $\mathcal{F}$. - -We now define the function $fm$ -as -\begin{equation} -\label{eqn:fm} -fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} -This is defined by, where $c$ is a component and $F$ is a set of failure modes, -$ fm ( c ) = F. $ - -We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection -of components. -%We thus define $FG$ as a set of chosen components defining -%a {\fg}; all functional groups -We can state that -{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $ - -We can overload the $fm$ function for a functional group {\FG} -where it will return all the failure modes of the components in {\FG} - - -given by - -$$ fm ({\FG}) = F. $$ - -Generally, where $\mathcal{{\FG}}$ is the set of all functional groups, - -\begin{equation} -fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}. -\end{equation} - - -%$$ \mathcal{fm}(C) \rightarrow S $$ -%$$ {fm}(C) \rightarrow S $$ -\paragraph{Abstraction Levels of {\fgs} and {\dcs}} - - -\label{sec:indexsub} -We can indicate the abstraction level of a component by using a superscript. -Thus for the component $c$, where it is a `base component' we can assign it -the abstraction level zero, $c^0$. Should we wish to index the components -(for example as in a product parts-list) we can use a sub-script. -Our base component (if first in the parts-list) could now be uniquely identified as -$c^0_1$. - -We can further define the abstraction level of a {\fg}. -We can say that it is the maximum abstraction level of any of its -components. Thus a functional group containing only base components -would have an abstraction level zero and could be represented with a superscript of zero thus -`${\FG}^0$'. % The functional group set may also be indexed. - -We can apply symptom abstraction to a {\fg} to find -its symptoms. -%We are interested in the failure modes -%of all the components in the {\fg}. An analysis process -We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}. -% -The $\bowtie$ function takes a {\fg} -as an argument and returns a newly created {\dc}. -% -%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. -The symptom abstraction process must always raise the abstraction level -for the newly created {\dc}. -Using $\abslevel$ to symbolise the fault abstraction level, we can now state: - -$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ - -\paragraph{Functional Groups may be indexed} -We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) -we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. -For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. - -\paragraph{The symptom abstraction process in outline.} -The $\bowtie$ function processes each component in the {\fg} and -extracts all the component failure modes. -With all the failure modes, an analyst can -determine how each failure mode will affect the {\fg}, and then collect common symptoms. -A new {\dc} is created -where its failure modes, are the symptoms from {\fg}. -Note that the component must have a higher abstraction level than the {\fg} -it was derived from. - - -\paragraph{Surjective constraint applied to symptom collection.} -We can stipulate that symptom collection process is surjective. -% i.e. $ \forall f in F $ -By stipulating surjection for symptom collection, we ensure -that each component failure mode maps to at least one symptom. -We also ensure that all symptoms have at least one component failure -mode (i.e. one or more failure modes that caused it). -% - -\subsection{FMMD Hierarchy} - -By applying stages of analysis to higher and higher abstraction -levels, we can converge to a complete failure mode model of the system under analysis. -Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) -the number of symptoms is guaranteed to be less than or equal to -the number of component failure modes. - -In practise however, the number of symptoms greatly reduces as we traverse -up the hierarchy. -This is a natural process. When we have complicated systems -they always have a small number of system failure modes in comparison to -the number of failure modes in its sub-systems/components.. - - -\section{Examples of Derived Component like concepts in safety literature} - -Idea stage on this section, integrated circuits and some compond parts (like digital resistors) -are treated like base components. i.e. this sets a precedent for {\dcs}. - -\begin{itemize} - \item Look at OPAMP circuits, pick one (say $\mu$741) - \item Digital transistor perhaps, inside two resistors and a transistor. - \item outline a proposed FMMD analysis - \item Show FMD-91 OPAMP failure modes -- compare with FMMD -\end{itemize} - -The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors -(and for some types of resistors OPEN only). -FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. -Now a resistor will generally only suffer parameter change when over stressed. -EN298 stipulates down rating by 60\% to maximum stress -possible in a circuit. So even if you have a resistor that preliminary tells you would -never be subjected to say more than 5V, but there is say, a 24V rail -on the circuit, you have to choose resistors able to cope with the 24V -stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum -voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. -Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. - -\clearpage -Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. - - -\subsection{{\fgs} Sharing components and Hierarchy} - -With electronics we need to follow the signal path to make sense of failure modes -effects on other parts of the circuit further down that path. -%{\fgs} will naturally have to be in the position of starter -A power-supply is naturally first in a signal path (or failure reasoning path). -That is to say, if the power-supply is faulty, its failure modes are likely to affect -the {\fgs} that have to use it. - -This means that most electronic components should be placed higher in an FMMD -hierarchy than the power-supply. -A shorted de-coupling capactitor caused a `symptom' of the power-supply, -and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip. -% to consider. - -If components can be shared between functional groups, this means that components -must be shareable between {\fgs} at different levels in the FMMD hierarchy. -This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown -in figure~\ref{fig:shared_component}. - -\begin{figure} - \centering - \includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png} - % shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670 - \caption{Optionally shared Component} - \label{fig:shared_component} -\end{figure} - -\subsection{Hierarchy and structure} -By having this structure, the logic circuit element, can accept failure modes from the -power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. -Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. -But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. - -\pagebreak[4] -\section{Defining the concept of `comparison~complexity' in FMEA} - -% -% DOMAIN == INPUTS -% RANGE == OUTPUTS -% - -When performing FMEA we have a system under investigation, which will -comprise of a collection of components which have associated failure modes. -The object of FMEA is to determine cause and effect: -from the failure modes (the causes) to the effects (or symptoms of failure). -% -To perform FMEA rigorously -we could stipulate that every failure mode must be checked for effects -against all the components in the system. -We could term this `rigorous~FMEA'~(RFMEA). -The number of checks we have to make to achieve this gives an indication of the complexity of the task. -% -We could term this `comparison~complexity', as it is the number of -paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. - - -% (except its self of course, that component is already considered to be in a failed state!). -% -Obviously, for a small number of components and failure modes we have a smaller number -of checks to make than for a complicated larger system. -% -We can consider the system as a large {\fg} of components. -We represent the number of components in the {\fg} $G$, by -$ | G | $ -(an indexing and sub-scripting notation to identify particular {\fgs} -within an FMMD hierarchy is given in section~\ref{sec:indexsub}). - -The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). -We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ - -If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express -the number of checks required to rigorously examine every -failure mode against all the other components in the system. -We can define this as a function, Comparison Complexity, $CC$, with its domain as the system -or {\fg}, $\FG$, and -its range as the number of checks to perform to satisfy a rigorous FMEA inspection. - -Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by, -\begin{equation} -%$$ - CC:\mathcal{\FG} \rightarrow \mathbb{N}, -%$$ -\end{equation} - -and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes -in component ${c_i}$, is given by - -\begin{equation} -\label{eqn:CC} -%$$ - %%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1) - CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i). -%$$ -\end{equation} - -This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$); -equation~\ref{eqn:CC} becomes - -%$$ -\begin{equation} -\label{eqn:rd2} - CC(\FG) = K.(|\FG|-1). -\end{equation} -%$$ -%Equation~\ref{eqn:rd} can also be expressed as -% -% \begin{equation} -% \label{eqn:rd2} -% %$$ -% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} . -% %$$ -% \end{equation} -\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy} - -An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy. -In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to -all {\fgs} on each level. - -We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level), -defined by - -\begin{equation} -%$$ -g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) . -%$$ -\end{equation} - -Where $L$ represents the number of levels in the FMMD hierarchy, -$|g(\xi)|$ represents the number of functional groups on the level -and $H$ represents an FMMD hierarchy, -we overload the comparison complexity thus: -%$$ -\begin{equation} - \label{eqn:gf} - CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}). -%$$ -\end{equation} - - -\pagebreak[4] -\subsection{Complexity Comparison Examples} - -The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4. -$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$ - -Even considering a $fictitious$ system with just 81 components (with these components -having 3 failure modes each) we would have an $CC$ of - -$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$ - -Ensuring all component failure modes are checked against all other components in a system --- applying FMEA rigorously -- could be termed -Rigorous FMEA (RFMEA). -The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes). - -This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis -process are by-hand/human activities. It can be seen that it is practically impossible to achieve -RFMEA for anything but trivial systems. -% -% Next statement needs alot of justification -% -It is the authors belief that FMMD reduces the comparison complexity enough to make -rigorous checking feasible. - - -\pagebreak[4] -%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD} - -\begin{figure} - \centering - \includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png} - % three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385 - \caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$} - \label{fig:three_tree} -\end{figure} - - - -\subsection{Comparing FMMD and RFMEA comparison complexity} - -Because components have variable numbers of failure modes, -and {\fgs} have variable numbers of components it is difficult to -use the general formula for comparing the number of checks to make for -RFMEA and FMMD. -If we were to create an example by fixing the number of components in a {\fg} -and the number of failure modes per component, we can derive formulae -to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to -all components in a system. - -Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), -$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and -$L$ to be the number of levels in the hierarchy of an FMMD analysis. -We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy -with equation~\ref{eqn:anscen}. - -\begin{equation} - \label{eqn:anscen} - \sum_{n=0}^{L} {k}^{n}.k.f.(k-1) -\end{equation} - -The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top -- -there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level. -The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$ -checked against the remaining components in the {\fg} $(k-1)$. - -If, for the sake of example we fix the number of components in a {\fg} to three and -the number of failure modes per component to three, an FMMD hierarchy -would look like figure~\ref{fig:three_tree}. - -\subsection{Worked Example} - -Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis. -Starting at the top, we have a {\fg} with three derived components, each of which has -three failure modes. -Thus the number of checks to make in the top level is $3^0.3.2.3=18$. -On the level below that, we have three {\fgs} each with a -an identical number of checks, $3^1.3.2.3=56$.%{\fg} -On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. -Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} -{\fgs}). - -If we were to take the system represented in figure~\ref{fig:three_tree}, and -apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC}, -$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3 -and $(|G|-1)$ is 26. -This gives: -$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$. - -In order to get general equations with which to compare RFMEA with FMMD -we can re-write equation~\ref{eqn:CC} in terms of the number of levels -in an FMMD hierarchy. -% -The number of components in the system, is number of components -in a {\fg} raised to the power of the level plus one. -Thus we re-write equation~\ref{eqn:CC} as: - - -\begin{equation} - \label{eqn:fmea_state_exp21} - \sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\ - %(N^2 - N).f -\end{equation} - -or - -\begin{equation} - \label{eqn:fmea_state_exp22} - k^{L+1}.(k^{L+1}-1).f \;. % \\ - %(N^2 - N).f -\end{equation} - -We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$) -the two approaches, for the work required to perform rigorous checking. - - -For instance, having four levels -of FMMD analysis, with these fixed numbers, -%(in addition to the top zeroth level) -will require 81 base level components. - -$$ -%\begin{equation} - \label{eqn:fmea_state_exp22} - 3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\ - %(N^2 - N).f -%\end{equation} -$$ - -$$ -%\begin{equation} - % \label{eqn:anscen} - \sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720 -%\end{equation} -$$ - -% \subsection{Exponential squared to Exponential} -% -% can I say that ? - -\section{Problems in choosing membership of functional groups} - -\subsection{Side Effects: A Problem for FMMD analysis} -A problem with modularising according to functionality is that we can have component failures that would -intuitively be associated with one {\fg} that may cause unintended side effects in other -{\fgs}. -For instance were we to have a component that on failing $SHORT$ could bring down -a voltage supply rail, this could have drastic consequences for other -functional groups in the system we are examining. - -\pagebreak[3] -\subsubsection{Example de-coupling capacitors in logic circuits} - -A good example of this, are de-coupling capacitors, often used -over the power supply pins of all chips in a digital logic circuit. -Were any of these capacitors to fail $SHORT$ they could bring down -the supply voltage to the other logic chips. - - -To a power-supply, shorted capacitors on the supply rails -are a potential source of the symptom, $SUPPLY\_SHORT$. -In a logic chip/digital circuit {\fg} open capacitors are a potential -source of symptoms caused by the failure mode $INTERFERENCE$. -So we have a `symptom' of the power-supply, and a `failure~mode' of - the logic chip to consider. - -A possible solution to this is to include the de-coupling capacitors -in the power-supply {\fg}. -% decision, could they be included in both places ???? -% I think so - - -Because the capacitor has two potential failure modes (EN298) -this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to -a power-supply module (but there might be additional noise on its output rails). -But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$. - -Some logic chips are more susceptible to $INTERFERENCE$ than others. -A logic chip with de-coupling capacitor failing, may operate correctly -but interfere with other chips in the circuit. - -There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}. -This allows for the general principle of a component failure affecting more than one {\fg} in a circuit. -This allows functional groups to share components where necessary. -This does not break the modularity of the FMMD technique, because, as {\irl} -one component failure may affect more than one sub-system. -It does uncover a weakness in the FMMD methodology though. -It could be very easy to miss the side effect and include -the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. - - - -\section{Double Simultaneous Failures} - -The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. -However, some critical systems have to consider these type of eventualities. -The burner control industry has to consider double failures, as specified in European Norm -EN298~\cite{en298}. EN298 does not specifically state that -double simultaneous failures must be considered. What it does say is that -in the event of a lockout---a condition where an error has been detected and -the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. -% -This is slightly vague: there are so many possible component failures that could -cause a secondary failure, that it is very difficult not to interpret this -as meaning we have to cater for double simultaneous failures for the most critical sections -of a burner control system. -% -In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel -is not allowed to flow under an error condition. This would of course leave the possibility of -other more complex double failures tricking the controller into thinking the -combustion was actually safe when it was not. -% -It would be impractical to -perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. - -It has been shown that, for all but trivial small systems, double failure mode checking -is impossible from a practical perspective. -FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature -of choosing {\fgs} we will not (in the initial stages) be cross checking all possible -combinations of double failures in all the components. - -The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks -to model failure mode scenarios. The failure scenario is defined by the contours that enclose it. -Consider a system which has four components $c_1 \ldots c_4$. -Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$. -Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$. - -We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group. -For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing -with failure mode $b$. We can express this as $c_2 a \cup c_1 b$. - - -\begin{figure}[h] - \centering - \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png} - % dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330 - \caption{Simultaneous Failure Mode Scenarios} - \label{fig:dubsim1} -\end{figure} - - - -From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined. -How do we model the double failures that occur across the {\fgs}, for instance -$c_4 a \cup c_1 a$. -It could be argued that because functional groups are chosen for their functionality, and re-usability -that component failures in one should not affect a different {\fg}, but this is a weak argument. -Merely double checking within {\fgs} would be marginally better than -only applying it to the most obvious critical elements of a system. - -What is really required is a way that all double simultaneous failures -are checked. - -One way of doing this is to apply double failure mode -checking to all {\fgs} higher up in the hierarchy. - -This guarantees to check the symptoms caused by the -failure modes in the other {\fgs} with the symptoms -derived from the other {\fgs} modelling for double failures. -% -By traversing down the tree we can automatically determine which -double simultaneous combinations have not been resolved. -% -By applying double simultaneous checking until no single failures -canlead to a top level event, we -double failure move coverage. - -To extend the example in figure~\ref{fig:dubsim1} we can map the failure -scenarios. -For Functional Group 1 (FG1), let us map: -\begin{eqnarray*} - FS1 & \mapsto & S1 \\ - FS2 & \mapsto & S3 \\ - FS3 & \mapsto & S1 \\ - FS4 & \mapsto & S2 \\ - FS5 & \mapsto & S2 \\ - FS6 & \mapsto & S3 -\end{eqnarray*} - -Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$. - - -For Functional Group 2 (FG2), let us map: -\begin{eqnarray*} - FS1 & \mapsto & S4 \\ - FS2 & \mapsto & S5 \\ - FS3 & \mapsto & S5 \\ - FS4 & \mapsto & S4 \\ - FS5 & \mapsto & S6 \\ - FS6 & \mapsto & S5 -\end{eqnarray*} - -%This AUTOMATIC check can reveal WHEN double checking no longer necessary -%in the hierarchy to cover dub sum !!!!! YESSSS \section{Example Analysis: Non-Inverting OPAMP} Consider a non inverting op-amp designed to amplify @@ -2198,3 +1619,913 @@ there are more {\dcs} and this increases the possibility of re-use. The more we can modularise, the more we decimate the $O(N^2)$ effect of complexity comparison. + + +\section{PT100 Analysis: Double failures and MTTF statistics} +{ +This section shows a practical example of +one `symptom~abstraction' stage in the FMMD process. +We take a functional group of base components, +and using their failure modes, analyse the circuit +to find failure symptoms. +These failure symptoms are used to define +a derived component. +% +An industry standard temperature measurement circuit, +the PT100 is described and then analysed using the FMMD methodology. +A derived component, representing this circuit is then presented. + + +The PT100, or platinum wire \ohms{100} sensor is +a widely used industrial temperature sensor that is +slowly replacing the use of thermocouples in many +industrial applications below 600\oc, due to high accuracy\cite{aoe}. + +This section looks at the most common configuration, the +four wire circuit, and analyses it from an FMEA perspective twice. +Once considering single faults (cardinality constrained powerset of 1) and then again, considering the +possibility of double faults (cardinality constrained powerset of 2). + +The section is performed using Propositional Logic +diagrams to assist the reasoning process. +This chapter describes taking +the failure modes of the components, analysing the circuit using FMEA +and producing a failure mode model for the circuit as a whole. +Thus after the analysis the PT100 temperature sensing circuit, may be viewed +from an FMEA perspective as a component itself, with a set of known failure modes. +} + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} + % pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{PT100 four wire circuit} + \label{fig:pt100} +\end{figure} + + +\section{General Description of PT100 four wire circuit} + +The PT100 four wire circuit uses two wires to supply small electrical current, +and returns two sense voltages by the other two. +By measuring voltages +from sections of this circuit forming potential dividers, we can determine the +resistance of the platinum wire sensor. The resistance +of this is directly related to temperature, and may be determined by +look-up tables or a suitable polynomial expression. + + +\begin{figure}[h] + \centering + \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} + % pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 + \caption{PT100 expected voltage ranges} + \label{fig:pt100vrange} +\end{figure} + + +The voltage ranges we expect from this three stage potential divider\footnote{ +two stages are required for validation, a third stage is used to measure the current flowing +through the circuit to obtain accurate temperature readings} +are shown in figure \ref{fig:pt100vrange}. Note that there is +an expected range for each reading, for a given temperature span. +Note that the low reading goes down as temperature increases, and the higher reading goes up. +For this reason the low reading will be referred to as {\em sense-} +and the higher as {\em sense+}. + +\subsection{Accuracy despite variable \\ resistance in cables} + +For electronic and accuracy reasons a four wire circuit is preferred +because of resistance in the cables. Resistance from the supply + causes a slight voltage +drop in the supply to the PT100. As no significant current +is carried by the two `sense' lines, the resistance back to the ADC +causes only a negligible voltage drop, and thus the four wire +configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across +the thermistor and not the voltage across the thermistor and current supply wire resistance.}. + +\subsection{Calculating Temperature from \\ the sense line voltages} + +The current flowing though the +whole circuit can be measured on the PCB by reading a third +sense voltage from one of the load resistors. Knowing the current flowing +through the circuit +and knowing the voltage drop over the PT100, we can calculate its +resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. +Thus a little loss of supply current due to resistance in the cables +does not impinge on accuracy. +The resistance to temperature conversion is achieved +through the published PT100 tables\cite{eurothermtables}. +The standard voltage divider equations (see figure \ref{fig:vd} and +equation \ref{eqn:vd}) can be used to calculate +expected voltages for failure mode and temperature reading purposes. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png} + % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 + \caption{Voltage Divider} + \label{fig:vd} +\end{figure} +%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. + +\begin{equation} +\label{eqn:vd} + V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +\end{equation} + +\section{Safety case for 4 wire circuit} + +This sub-section looks at the behaviour of the PT100 four wire circuit +for the effects of component failures. +All components have a set of known `failure modes'. +In other words we know that a given component can fail in several distinct ways. +Studies have been published which list common component types +and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}. +Thus for each component, an analysis is made for each of its failure modes, +with respect to its effect on the +circuit. Each one of these scenarios is termed a `test case'. +The resultant circuit behaviour for each of these test cases is noted. +The worst case for this type of +analysis would be a fault that we cannot detect. +Where this occurs a circuit re-design is probably the only sensible course of action. + +\fmodegloss + +\subsection{Single Fault FMEA Analysis \\ of PT100 Four wire circuit} + +\label{fmea} +The PT100 circuit consists of three resistors, two `current~supply' +wires and two `sensor' wires. +Resistors according to the European Standard EN298:2003~\cite{en298}[App.A] +, are considered to fail by either going OPEN or SHORT circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, +and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. +%Should wires become disconnected these will have the same effect as +%given resistors going open. +For the purpose of this analyis; +$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, +$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground. + +We can define the terms `High Fault' and `Low Fault' here, with reference to figure +\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone +in the diagram we can consider this a fault. +Should the reading be above its expected range this is a `High Fault' +and if below a `Low Fault'. + +Table \ref{ptfmea} plays through the scenarios of each of the resistors failing +in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. +The range {0\oc} to {300\oc} will be analysed using potential divider equations to +determine out of range voltage limits in section \ref{ptbounds}. + +\begin{table}[ht] +\caption{PT100 FMEA Single Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + $R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline +$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline + \hline +$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline + $R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline +\hline +$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ + $R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline +\hline +\end{tabular} +\label{ptfmea} +\end{table} + +From table \ref{ptfmea} it can be seen that any component failure in the circuit +should cause a common symptom, that of one or more of the values being `out of range'. +Temperature range calculations and detailed calculations +on the effects of each test case are found in section \ref{pt100range} +and \ref{pt100temp}. + +%\paragraph{Consideration of Resistor Tolerance} +% +%The separate sense lines ensure the voltage read over the PT100 thermistor are not +%altered due to having to pass any significant current. +%The PT100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +%One or other of the load resistors (the one we measure current over) should also +%be of this accuracy. +% +%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient +%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to +%a narrow temperature range anyway, being mounted on a PCB. +%\glossary{{PCB}{Printed Circuit Board}} +%To calculate the resistance of the PT100 element % (and thus derive its temperature), +%having the voltage over it, we now need the current. +%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. +%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). +%We can calculate the current by reading +%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the PT100 we need the current flowing though it. +%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} +%As these calculations are performed by ohms law, which is linear, the accuracy of the reading +%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +%take the mean square error of these accuracy figures. + +\subsection{Range and PT100 Calculations} +\label{pt100temp} +PT100 resistors are designed to +have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. +A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} +for a given application. +According to the Eurotherm PT100 +tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100} +and \ohms{212.02} respectively. From this the potential divider circuit can be +analysed and the maximum and minimum acceptable voltages determined. +These can be used as bounds results to apply the findings from the +PT100 FMEA analysis in section \ref{fmea}. + +As the PT100 forms a potential divider with the \ohms{2k2} load resistors, +the upper and lower readings can be calculated thus: + + +$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$ +So by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds we can be confident that none of the +resistors in this circuit has failed. + +To convert these to twelve bit ADC (\adctw) counts: + +$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$ +$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$ + + +\begin{table}[ht] +\caption{PT100 Maximum and Minimum Values} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|c|l|l||} +\hline \hline + \textbf{Temperature} & \textbf{PT100 resistance} & +\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\ +\hline +% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\ +% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline + {0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\ + & & 2002\adctw & 2094\adctw & out of range LOW \\ \hline + {+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\ + & & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline +\hline +\end{tabular} +\label{ptbounds} +\end{table} + +Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that +for any single error (short or opening of any resistor) this bounds check +will detect it. + + + +\paragraph{Consideration of Resistor Tolerance.} +% +The separate sense lines ensure the voltage read over the PT100 thermistor is not +altered by to having to pass any significant current. The current is supplied +by separate wires and the resistance in those are effectively cancelled +out by considering the voltage reading over $R_3$ to be relative. +% +The PT100 element is a precision part and will be chosen for a specified accuracy/tolerance range. +One or other of the load resistors (the one we measure current over) should +be of a specified accuracy. +% +The \ohms{2k2} loading resistors should have a good temperature co-effecient +(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). +% +To calculate the resistance of the PT100 element % (and thus derive its temperature), +knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop. +% +Lets use, for the sake of example $R_2$ to measure the current. +% +We can calculate the current $I$, by reading +the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the PT100 we need the current flowing though it. +We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, +and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate +the resistance of $R_3$. +% +As ohms law is linear, the accuracy of the reading +will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to +take the mean square error of these accuracy figures. + + +\section{Single Fault FMEA Analysis \\ of PT100 Four wire circuit} + +\subsection{Single Fault Modes as PLD} + +The component~failure~modes in table \ref{ptfmea} can be represented as contours +on a PLD diagram. +Each test case, is defined by the contours that enclose +it. The test cases here deal with single faults only +and are thus enclosed by one contour each. + + +\fmodegloss + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc.png} + % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{PT100 Component Failure Modes} + \label{fig:pt100_tc} +\end{figure} + +%ating input Fault +This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings. +To establish the valid voltage ranges for these, and knowing our +valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate +valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd} +for the circuit shown in figure \ref{fig:vd}. + +% +%\begin{figure}[h] +% \centering +% \includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./pt100/voltage_divider.png} +% % voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170 +% \caption{Voltage Divider} +% \label{fig:vd} +%\end{figure} +%%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used. +% +%\begin{equation} +%\label{eqn:vd} +% V_{out} = V_{in}.\frac{Z2}{Z2+Z1} +%\end{equation} +% + + +\subsection{Proof of Out of Range \\ Values for Failures} +\label{pt110range} +Using the temperature ranges defined above we can compare the voltages +we would get from the resistor failures to prove that they are +`out of range'. There are six test cases and each will be examined in turn. + +\subsubsection{ TC 1 : Voltages $R_1$ SHORT } +With pt100 at 0\oc +$$ highreading = 5V $$ +Since the highreading or sense+ is directly connected to the 5V rail, +both temperature readings will be 5V.. +$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ +With pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V $$ +$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ + +Thus with $R_1$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\subsubsection{ TC 2 : Voltages $R_1$ OPEN } + +In this case the 5V rail is disconnected. All voltages read are 0V, and +therefore both readings are outside the +proscribed range in table \ref{ptbounds}. + + +\subsubsection{ TC 3 : Voltages $R_2$ SHORT } + +With pt100 at 0\oc +$$ lowreading = 0V $$ +Since the lowreading or sense- is directly connected to the 0V rail, +both temperature readings will be 0V. +$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ +With pt100 at the high end of the temperature range 300\oc. +$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ + +Thus with $R_2$ shorted both readings are outside the +proscribed range in table \ref{ptbounds}. + +\subsubsection{ TC 4 : Voltages $R_2$ OPEN } +Here there is no potential divider operating and both sense lines +will read 5V, outside of the proscribed range. + + +\subsubsection{ TC 5 : Voltages $R_3$ SHORT } + +Here the potential divider is simply between +the two 2k2 load resistors. Thus it will read a nominal; +2.5V. + +Assuming the load resistors are +precision components, and then taking an absolute worst case of 1\% either way. + +$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ + +$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ + +These readings both lie outside the proscribed range. +Also the sense+ and sense- readings would have the same value. + +\subsubsection{ TC 6 : Voltages $R_3$ OPEN } + +Here the potential divider is broken. The sense- will read 0V and the sense+ will +read 5V. Both readings are outside the proscribed range. + +\subsection{Summary of Analysis} + +All six test cases have been analysed and the results agree with the hypothesis +put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the +symptoms. In this case there is a common and easily detected symptom for all these single +resistor faults : Voltage out of range. + +A spider can be drawn on the PLD diagram to this effect. + +In practical use, by defining an acceptable measurement/temperature range, +and ensuring the +values are always within these bounds we can be confident that none of the +resistors in this circuit has failed. + + +\begin{figure}[h] + \centering + \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc_sp.png} + % pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 + \caption{PT100 Component Failure Modes} + \label{fig:pt100_tc_sp} +\end{figure} + + +\subsection{Derived Component : The PT100 Circuit} +The PT100 circuit can now be treated as a component in its own right, and has one failure mode, +{\textbf OUT\_OF\_RANGE}. It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_singlef.png} + % pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{PT100 Circuit Failure Modes : From Single Faults Analysis} + \label{fig:pt100_singlef} +\end{figure} + + +%From the single faults (cardinality constrained powerset of 1) analysis, we can now create +%a new derived component, the {\empt100circuit}. This has only \{ OUT\_OF\_RANGE \} +%as its single failure mode. + + +%Interestingly we can calculate the failure statistics for this circuit now. +%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ??? +\clearpage +\subsection{Mean Time to Failure} + +Now that we have a model for the failure mode behaviour of the pt100 circuit +we can look at the statistics associated with each of the failure modes. + +The DOD electronic reliability of components +document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating +the +%$\frac{failures}{{10}^6}$ +${failures}/{{10}^6}$ % looks better +in hours for a wide range of generic components +\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F +can give conservative reliability figures when applied to +modern components}. + +Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor +failure statistics we calculate the reliability of this circuit. + + +\subsubsection{Resistor FIT Calculations} + +The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor +is reproduced in equation \ref{resistorfit}. The meanings +and values assigned to its co-efficients are described in table \ref{tab:resistor}. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + +\fmodegloss + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E + \label{resistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Fixed film resistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:resistor} +\end{table} + +Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} +give the following failures in ${10}^6$ hours: + +\begin{equation} + 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} + \label{eqn:resistor} +\end{equation} + +While MIL-HDBK-217F gives MTTF for a wide range of common components, +it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}. +%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. +% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 +This example +compromises and uses a 90:10 ratio, for resistor failure. +Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED +in the other 10\%. +A standard fixed film resistor, for use in a benign environment, non military spec at +temperatures up to 60\oc is given a probability of 13.8 failures per billion ($10^9$) +hours of operation (see equation \ref{eqn:resistor}). +This figure is referred to as a FIT\footnote{FIT values are measured as the number of +failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the +FIT number the more reliable the fault~mode} Failure in time. + +The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in +equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. + +\begin{equation} +% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E +resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E + \label{thermistorfit} +\end{equation} + +\begin{table}[ht] +\caption{Bead type Thermistor Failure in time assessment} % title of Table +\centering % used for centering table +\begin{tabular}{||c|c|l||} +\hline \hline + \em{Parameter} & \em{Value} & \em{Comments} \\ + & & \\ \hline \hline + ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline + %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline + %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline + ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline + ${\pi}_E$ & 1.0 & benign ground environment\\ \hline + +\hline \hline +\end{tabular} +\label{tab:thermistor} +\end{table} + + +\begin{equation} + 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} + \label{eqn:thermistor} +\end{equation} + + +Thus thermistor, bead type, non military spec is given a FIT of 315.0 + +Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}), +showing the FIT values for all faults considered. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\begin{table}[h+] +\caption{PT100 FMEA Single // Fault Statistics} % title of Table +\centering % used for centering table +\begin{tabular}{||l|c|c|l|l||} +\hline \hline + \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ + \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ +% R & wire & res + & res - & description +\hline +\hline +TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline +TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline + \hline +TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline +TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline +\hline +TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ +TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline +\hline +\end{tabular} +\label{tab:stat_single} +\end{table} + +The FIT for the circuit as a whole is the sum of MTTF values for all the +test cases. The PT100 circuit here has a FIT of 342.6. This is a MTTF of +about 360 years per circuit. + +A Probablistic tree can now be drawn, with a FIT value for the PT100 +circuit and FIT values for all the component fault modes that it was calculated from. +We can see from this that that the most likely fault is the thermistor going OPEN. +This circuit is around 10 times more likely to fail in this way than in any other. +Were we to need a more reliable temperature sensor this would probably +be the fault~mode we would scrutinise first. + + +\begin{figure}[h+] + \centering + \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} + % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 + \caption{Probablistic Fault Tree : PT100 Single Faults} + \label{fig:stat_single} +\end{figure} + + +The PT100 analysis presents a simple result for single faults. +The next analysis phase looks at how the circuit will behave under double simultaneous failure +conditions. + +\clearpage +\section{ PT100 Double Simultaneous \\ Fault Analysis} + +In this section we examine the failure mode behaviour for all single +faults and double simultaneous faults. +This corresponds to the cardinality constrained powerset of +the failure modes in the functional group. +All the single faults have already been proved in the last section. +For the next set of test cases, let us again hypothesise +the failure modes, and then examine each one in detail with +potential divider equation proofs. + +Table \ref{tab:ptfmea2} lists all the combinations of double +faults and then hypothesises how the functional~group will react +under those conditions. + +\begin{table}[ht] +\caption{PT100 FMEA Double Faults} % title of Table +\centering % used for centering table +\begin{tabular}{||l|l|c|c|l|l||} +\hline \hline + \textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\ + \textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\ +% R & wire & res + & res - & description +\hline +\hline + TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline + TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline +\hline + TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline + TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline +\hline + + TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline +TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline +\hline + TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline + +\hline + TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline +TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline +TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline +TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline +\hline +\end{tabular} +\label{tab:ptfmea2} +\end{table} + +\subsection{Verifying complete coverage for a \\ cardinality constrained powerset of 2} + +\fmodegloss + + +It is important to check that we have covered all possible double fault combinations. +We can use the equation \ref{eqn:correctedccps2} +\ifthenelse {\boolean{paper}} +{ +from the definitions paper +\ref{pap:compdef} +, +reproduced below to verify this. + +\indent{ + where: + \begin{itemize} + \item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes. + \item The indexed set $C_j$ represents all components in set $SU$. + \item The function $FM$ takes a component as an argument and returns its set of failure modes. + \item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults. + \end{itemize} +} +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + \label{eqn:correctedccps2} +\end{equation} + +} +{ +\begin{equation} + |{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}} +- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} } + %\label{eqn:correctedccps2} +\end{equation} +} + + +$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes. + +% +% Factorial of zero is one ! You can only arrange an empty set one way ! + +Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2. +%is always 2 for this circuit, as all the components are resistors and have two failure modes. + +\begin{equation} + |{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}} +- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} } + %\label{eqn:correctedccps2} +\end{equation} + +$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check +under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time). + +Expanding the sumations + + +$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$ + +$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$ + +As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double) +we can be confident that we have looked at all `double combinations', of the possible faults +in the pt100 circuit. The next task is to investigate +these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. + + +\subsection{Proof of Double Faults Hypothesis } + +\subsubsection{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } +\label{pt100:bothfloating} +This double fault mode produces an interesting symptom. +Both sense lines are floating. +We cannot know what the {\adctw} readings on them will be. +In practise these would probably float to low values +but for the purpose of a safety critical analysis +all we can say is the values are `floating' and `unknown'. +This is an interesting case, because it is, at this stage an undetectable +fault that must be handled. + + +\subsubsection{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT } + +This cuts the supply from Vcc. Both sense lines will be at zero. +Thus both values will be out of range. + + +\subsubsection{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN } + +Sense- will be floating. +Sense+ will be tied to Vcc and will thus be out of range. + +\subsubsection{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT } + +This shorts ground to the +both of the sense lines. +Both values thuis out of range. + +\subsubsection{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN } + +This shorts both sense lines to Vcc. +Both values will be out of range. + + +\subsubsection{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + + + + + + + + + +\subsubsection{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN } + +This shorts the sense+ to Vcc and the sense- to ground. +Both values will be out of range. + +\subsubsection{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\subsubsection{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN } + +This shorts the sense+ to Vcc and causes sense- to float. +The sense+ value will be out of range. + + +\subsubsection{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + + + + + +\subsubsection{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN } + +This shorts the sense- to Ground. +The sense- value will be out of range. + + +\subsubsection{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT } + +This shorts the sense+ and sense- to Vcc. +Both values will be out of range. + +\clearpage +\subsection{Double Faults Represented on a PLD Diagram} + +We can show the test cases on a diagram with the double faults residing on regions +corresponding to overlapping contours see figure \ref{fig:plddouble}. +Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{PT100 Double Simultaneous Faults} + \label{fig:plddouble} +\end{figure} + +We use equation \ref{eqn:correctedccps2} to verify complete coverage for +a given cardinality constraint is not visually obvious. +% +From the diagram it is easy to verify +the number of failure modes considered for each test case, but +not that all for a given cardinality constraint have been included. + +\subsubsection{Symptom Extraction} + +We can now examine the results of the test case analysis and apply symptom abstraction. +In all the test case results we have at least one out of range value, except for +$TC\_7$ +which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$, +into the symptom $OUT\_OF\_RANGE$. +As a symptom $TC\_7$ could be described as $FLOATING$. We can thus draw a PLD diagram representing the +failure modes of this functional~group, the pt100 circuit from the perspective of double simultaneous failures, +in figure \ref{fig:pt100_doublef}. + + +\begin{figure}[h] + \centering + \includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png} + % plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641 + \caption{PT100 Double Simultaneous Faults} + \label{fig:plddoublesymptom} +\end{figure} + + +\clearpage +\subsection{Derived Component : The PT100 Circuit} +The PT100 circuit again, can now be treated as a component in its own right, and has two failure modes, +{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. +It can now be represented as a PLD see figure \ref{fig:pt100_doublef}. + +\begin{figure}[h] + \centering + \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_doublef.png} + % pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 + \caption{PT100 Circuit Failure Modes : From Double Faults Analysis} + \label{fig:pt100_doublef} +\end{figure} + +\subsection{Statistics} + +%% +%% Need to talk abou the `detection time' +%% or `Safety Relevant Validation Time' ref can book +%% EN61508 gives detection calculations to reduce +%% statistical impacts of failures. +%% + +If we consider the failure modes to be statistically independent we can calculate +the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition +requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF +together and find an MTTF for both failing. The FIT value of 12.42 corresponds to +$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $. +This is an astronomically small MTTF, and so small that it would +probably fall below a threshold to sensibly consider. +However, it is very interesting from a failure analysis perspective, +because here we have found a fault that we cannot detect at this +level. This means that should we wish to cope with +this fault, we need to devise a way of detecting this +condition in higher levels of the system. +\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} + + + + +\vspace{20pt} + +%typeset in {\Huge \LaTeX} \today diff --git a/submission_thesis/CH5_Examples/plddouble.dia b/submission_thesis/CH5_Examples/plddouble.dia new file mode 100644 index 0000000000000000000000000000000000000000..5b11cc53c2a10a112dc934596ecc5c9b4d79ebf0 GIT binary patch literal 2347 zcmV+`3DouF8Z{yXlI`TIo3F8 zWjT3n?Mwl_bWp5EWzqv~Omx61}q z-Dad)v_7g<<Q+cuj5T;=B4#}n!YKTZnKM<<*GER zv=29Xs~l;^{@z+=z1GUCRL?Iy{f&L{o3wu8sjWjBdQ_xcv!d< zoL0r5tuO1gx8@)EX})`O9KD}D9_R+&+R@X)OclJ~Z$CZEZ_8P+dckJ9>l|t6dcE4| zOMAV$-fMS^f2(t{b`n+oP&Di2|NeBE9<2}XnmD8Usx9vxm$vrFa{6a+)vi1HN1NBP zyqS%D9Q|5V<&BB-r#!@DA?56R{5jj*Vcjm81`P}M_SnsGV=Ia%pKv63cQ@=qX?7i`zXj*INVr7@QFrJM|Bp#PJ~%=aq~Z>C}VLg7S=ED*v4a| z2Y4xa#FdImFX}|71DN?=B1|JwET~&xv5m!OxWyDRR8c4+Q9UL#x5m=uEU8gu76?W} z#&ua>&%kCIo3S2jCMJZK(^*uPDQrcsuqMOie~y@l?6IJ3fyFi! z-#*+#MYNWQMzXDj--+hwvY8dlOI^zle$-*wXbJqzuvuL%?=KHr`FO>&XxxC2p#g(4 za}u_GW-(*Ns$i#bW=0m;2vTAOHZcPyxMLqNb`;&RGhq-rA+e)^V~5!RdF;?(h$|mC z%8dMN;7A-bZ~}Yv;o^p7W(2TpWesr?5;rF7Gh&Xvh<(nnBG{dC%&=CA38j%|14DcD5d%lc?Z8nGI6;9E zd_|Bblu0*mj~O_2KHCpE&L~FQ2-?_*8ajdf`iP+;_;%<(#mcYOKBZ=Zkv za-{6@nOdo1g?G!kJtSz~AAQXiW%XdTE3a4M(W-s0MLhdxUoD$DS!N&ayC}yejAQqBwjsi~4r4-jlCXIanR`wz#-+ zo79brr%j>5Ac^*XBwGZ7&9I*GxLESVHo{#@BA7T)s$?2q`uy)-{{>tcfJ=wm2y9A` zP2rUk5@i+{Dk_+a2*uRM5Gp7>^PPqPb+R`=%5~}_;SwFd>3Kf_oKl1n>*40o zAyOwRvzVbU|0*+F|k>~?Q_S}RKSFw@g@66ODTe4VE7!#{2CDTc8i2#>|;L-s%0-I7~ zlk9;_%#5!%5-Kj4yh^5Ax}@!cg3O|#iR4QZxHJHl_MHe+N|8#c2P)a;S7L24m$+D3 z%V24^B+MV;7BxwPOANR)0GAGU5x|rpm~;64S=P6Cjylcq!P_~ppva>v)4d$Tr4>miG+4sBAPf=#uDL@04@!{r2}3BFr^5l z@bYhL*kDsvb?I^`?3B9L zsKmCv zJF?`WXgj{lZ{G$e+peH;M%HsI4%186;Jbynv&QAV3Ef<&b z>9{^?b>7KhwkSte+3fxJ?RWngAFeKQ_~1H^T>BzB&5z4G`*ZuHDZZ@T<vSb#wlB_7Vjt-sRhgZpc>ebKE(s`IQoE#^%-SU0n} zA{a4@F{}(}jip*>xUG|yn>!xX+-z8L<*??8<t{YpYdxneT3A zd6LagVviN8Ln*!&Rke8H`+v`7%jXoJ{`k(@Uh280Wifr+aUYzqw=d>ZZ4L}^StL)O#RVDW9?1MvYWhIUH+f<&Gcw>gIB~^tA)k!fAf=SRlMJ; zY(CA(>FC|)(`;5;pl{zt9vF8N)A!>q^kEfk778zj^lQ}7#o|s#oN##{iI$rMZ(?Jc zf#c)N>z7!HY<@b+?`${|6K;q)u)7(`XZiWj$)cP$LxTQF!_2kpu4b`k_VP(8&p{gyb~d>sGF$ zu{({i9^hr%9XBQ{y|_2RJ;3m1O@IfcSf^qoiQP$zcbAwENEJgU3#u_~r4yFLR?-rR z2Mh?)VO7?#WJzXsG7~+>OdT+W%~?>D8E{5GIgtVWEQwHoHP)$ENn&>rlU*ey@Qx!^ z6cHgKGC`=Stq3PF?hagh7E)!MOO|AICo|PmW|G(gMr6qTq$EZ<8xu>!0S7z^sjhAX zdX}_^kn6XbnSjzlZ)EG%U`I3`FUo0NK2zVOeEjw;yb3Z?+Di+5A8aF zNK<=`!JfZ!91TGor(>!1&Tlxy9>BVkZStEgeq%fP4R-&8M{`KOSq)?mE+^OrRKmA8 zHfUF%Yr*!>bx_2q$?0ugqw|az!~3s7w>i!T_%;W-wN@Q)9(XjcYpM3pakO4{9FrWU zljC%r5oCr??K|!v9mkDl*PV_D2O`m+^PQls)3IFp=sHTSyH4_)r#r zU%zch^n4^cYFnz^VqUcwbf1sDXXnN22ESJ}Uyeu1>c*w|5f-fNa8&p$tA%6cI&wei={f*M)}Dk2Fx4fM#llBFaP=UIdN$KF14vK zu_;D2bGggRuHpkP8H95|X`TydDxMp1#3Tf6^gN=ypQq!tw>AjJqI*+;N+0D=UM zlw8WFmURbCN@r5iD0*-#_27n!ls2W9s1zfWR6kTQLr_WIQVE3i3CGc3DfQomqmoHf zik?ck2P$!wFRsEu$=jgyShvDZ36FFfgWWuZN`paZQ;CU5F*3>Yz$D=o7ns12k~hNY zNQt{hiD_h1BveX~(m+sZNHI|kYB+HZC%-|9 z51jz-OmvEoPP~VOj|#$vPH0Bjwb02efYhtdNvA2g1gFRKnBWv6oJ0?c zONR)ZoSF5|i9>9mQ<|$Ah)yPjPOpVd-E+VNVFxMAN z{RPh1*+OHCyvD#b`8(*u><{*_=catVv2 zl^M{;C53OyA6ga(mqg;y09L0#b}X5Y&)*S*y=LWA)vdrNuTgV1P0gb7D6;>dKzksr(n3M1nO2854| zbUk(i(Zoh6dwT#HZD=sDC`K099`<^(GI(&bvQmdf%x{$wSA3Kbw};r|t*OLBr3k4c zXiroU>koMk1tm@-y@!$@ESfMWWo-`yr3XSxOp1|7-E+3(0C`AqEe}Z(!Q)Cpf|Rfw zo=7s~A-xJ9u^xaVeD;S7OC)cEOHU-u>((%uj+;qD8h}U*9VR6Gtw^emXW30&`op`U zmA%jT^{75Z99e)c5ZXUFt=J zy)3WtqiM0kYCXxD)qRVlcZdh0nWD;q5>(nl}8^HU3q6c9CCd?%lbL&Nq?}0_%R>aml)xGQ?$$tN3-$U}M z^81?weS#<$C73fKEN2siU2LU|%T;7@*Dd~DAo|S$ww=T4?Aq8-53Z`UP^dx;z_l>1 zPx779Bi$q2J>Y^qC4dphxJEOsYFu=~w0md(5Q^`CHQ!dk*7yeMoq3~=aKI&4D9{{* zs3>*p<#cn>lNopgqQth0ozqCz;EgaYS-2$DSt@i zo9>UTavTnfdn1i@x~E1v-AgYrOQeP1xZf;Z`$o3z+lc5f z!-LxB0IauwRy^yak8!k>#?R_AYJ!WtQNs3pQYD66ZV=t<>W4}DLuy~rzT%wVzz1%f z_<N&OM1zjLaDCRSiz>yQV`gdEq=1S^JNSiw>9 zRJk-R0PCltSny$;t;K9{7VO~~_brWyet3sTYk)~(nP6JWy>fuNN}115C@AY?qq=T? zGde>*aMNBe9#sps3-)+)|6BL*hN;Fy`|-BUc>tZY^}NQ0y5wy)ZD8@9*V6{fZ5=2G zr6PE@x~+^`dLgk-8c>4aBBe?iP)1qJSoAJN|6Uj4-5WF^g4Xm6ptTpXd8Q%0Lj$QX+xuuv^w7T4o0|vD#pm^!MT74?j-yI=-NUYv zBrj=QHcQxg5|v%@?e?gF(V#dJlnJX82)^rx+&;@*_Aq?KT>q8_UKnQ#bI(KdH8XL! zl?v>Ef2h13VEn34#5Upk;k4Mh?u>xY>OL=$y*|yWUM49*r`$;iZrBLigX^6Fjr7lJ zVO$O|NAdW4w95!IR{O0Mt>UjC{YYSaOU*ziDb(xB#gMvta8EUG<`*P$2%33^&8<-N zGe9IvP;7<@>yE8rGI(&`Ud;ByRKM;h`ZxzWQ`nQ%hGUR#wWO~w&M`gYS)1TXZ4s-| zs5*K!Y623wv*5#fYe9rhv^I@3oGq&uRJ}t%QvLp`-uAJYQx39vN@(ruXndczZZ6i6 z6C>vqLhHV*jIC>&{e*c^{$446%eq0;eRBmt^zKVao~L_fLJH8+V%+BXo`l-5WhA-##>G~#{uXlTW zGh0lsNpXL((WIgu`u(KMveg0`<(Kc@{Vd;=x3qlYv9HjLRthPu)A{8j-;{%6Gc5-K z5(@x07|L14j5PdVOkOVTyj^kAcE!!x6*pO&-OT32Je?GqBF|^DX_n@t)M9>{?Js9B zN~Z|1ZEDrf;$l)1vuE!ABAqUFQJ{SL>(lnqC--tb8E=1ZS6Wo`@_8~YuFk$h8m_YU z`$)atO%{{$X%@QsNnSM8{e3gtug{KW@5eu{iH5SbO7k$bnab45&BNvGWSlLYf!S)C zik_~P%}$;h_4RhU4ovyhnz8mGrs;h)Uv~fD(M-)vMY zmHl^-=Hqle?j83&W?zc_6DOqKn~YEU|6r@5wXPrbhD5kATsO0?m|}@l1A)KR$6%8| zssx;$ulGMk71I22nyttHrG_ez(x`z>B!fLg7Bmviz>-*S-!|tE{@BK;|hmk%TroK`LnzT-4MOsyGXAm(|f${G+*?4i{hT(gwAOBr+>|+ zcUdtRrB6}+@;kW7CYM*idw8T#oKUv+hS)QL|`PggoLLEa-grYY4-3re7=w|&6LXJig zP^hq7P!|d~88wDrCnR_gIMPfFMdBpQzd8iN_1kFF`-A%JkDXzPZJ0Je*x986v`eA^ zyCf)SF|g>{?rkD=HBS;jhXT-oiQ&9ZH19Tl8)ij05Gz_4`SP@YF&ekE#21v7^wZw+f}hgO1kgI5A&IHqUV!anctXrupHM-W9@x z>>9c*#mu|4y~j^i81sP?*E)S67(dLu1h8moV^LC6r4ys#!cdS5f}d812DhiQY?@u4 zjb`(FvvS>_PF{+yac%1L=vpZ0p1v&95VqmWtXI=KkB9x3mk3*2%|4$6mNYzHuWf=) z!w|MjK-gynTx1M`@lw2X9f(B4#&9jAb_20AE4Wf3Du~6ZGj0wM#1&3~YXHTJNQ*@V zF&bi}1}Z_ylB!I%E2&X1GK^BO{eggz;e5M(9S^Z;4G&KG*?LeG2*@rj7;C4v!Ebrw_^`v~tDTET~$E=1syyl;AwWNTpi{zQdYUv{kkwO34ofj%*1>y9!6!G#o4H6})~iOQBU9KoS*) zOBukB1ThrXbm0!7x(=V9t69XZSp+cH6)oO!(V~itWCLvE^K&vT8|l&q^K2x&K-IBP z$3~SH?AYiK*Pp5e*a)K|qzDz4jx5O-GJ>54`D z-+`Cnb5ry`86N_hid7_}YN+2T3c|G=ZW>tZN3|9icafi=z*nF@f|Kua&vEOMwRGC0 zup?;k{L@#=;v^)d5n-=e*QxTU>z5}@!ja447T8M}TzLo^svOG19mJ}{pMUvt=Tk@b zsW&m$`P8lY)OC`Z+(gc9e#m~GWb-OVu6AkLB)$SCqb|!f2@^)i0VL8|rH4Qp$b4a2 z8N>F>wV!9dpFQi&h1A<@1$bivwi?y0w^39b=YFTb)~;9?LU7nSSRoJPjBv21hBVu_ zhu~*1>gZHSuOZ>tWiNWUX3H|;nBmVZr)nl7g4#uUkvM{yiTWgo#5(CK^nl|8LxcXE zVwU8h;flTSC8T2LnbY27hptS&4RE!~^eW+&=3XWs6pLA;LP_93CO9($I;ACe!On@; zrP4|@L&)>MGlvH}p1J2~wISd^ec&-k^G_yGikQ16B(1@q8ogv%c(&tKlVA>lsp!C~ zP_vTqq&Y;&OI2HxC+Z_lxDo&gER#_wPk`l;CRItP33_O0B}sNR`VP}dJwwo=e3d#t zW831AOpx`xJHI%MnYi8^w@w&Jb8BRrAx=L>;-jReP+COy?lx5nK~pM^%MNhWxpk;r zUjtD_t}bdgK~m^EA)|&M6G8i>0ix#DYwNY!-U++1b%M*7Id-}Cp7uAHRfpQeL4=Z{ z97x*6}-#aZGoR{z_qic z72i&95PpM$b9M-{!9mfrb4tWsM-x^u*iMuf6~Oj=7T-GZ>J%7p_+Di<57aI#0!M!g zImIMGavPOqc_N&1C0;3sc&AwZicZYhFo?)5=M(1cat}S#C^p>OOSOfS2 zEvRsyKt?^<+1In3U#e=DwN&3$nrm7+&usK_QY-ZgHdV~fjmiBzpYH^Jya6}U3ZS*Z zBEFkxv{k+!$AI7`w4_Bv$~q45z09zhLHG#|(=K%2IX)? zPNuTLXCSpPCO*rC^$a?h3VbXt-M$;yzmKI5LN>s(f*437%0y>cu$JJbm~*BK=cV-F zyc8-v(}wkok=}Ug;A@g;+Y0A}YQmkR*nti|bJ5*d>D^gw9^6^{lCXz|k+ds5zI&Lg4!Glj~Ee)a17zvc!;Q*qATvABQU`wA$G6^W# zfo~i5OatIEW!ePxJ{o9O@M&S_40{Yyg!A);e0bfwf>T;1y)FHZ z#+dze0yr**H(dJ)MrOlaGZgSoEdHx|k7guH`{e$ofb60ciGnTFL2BUSj)JceQ4YH7Y9`0)nVPnHQ589R}Lk{I`SOpI{7otJ*2 zgVxMIeD({gxh>_S*&(uDi+M~5P1MR&ne}k7BOGqE^XV1oxG$AEzq?O!-AbuEq-MBM zPT@5M;`WzW>h*x7H zm}rC4T{jp(5X)aq`qtCqhJ5y8in5s*!mN1>+jQQ!PgNZ%7E#Wst7+TZ*y@ z;6nkExqKE1!Ld6PNTD!9J=KNYOTgKb`f3)H$9aq}uFN3msb}MKsCo{g7jQOUM=(Gx zNART{+K{8$Jp?*JybK#gEXFcK%%e(34NmgE5|c;8GKdEKv%B_LwxoPwiM4K_wIm{h zJixTdBWpvlLYSIknx-s<-F3P~r`-XIn(R;Kek>jNSUUc(bT}SGj0+C2s8YI&5d>+* zD)=rs8Pu^W(smcPH)M%hwyKAw#RR2j4+9viG-#V2XVdZ;@FsrUq$} zhw0m@UXI(fFxgbetWydC=ZNRJn74Oh`fbhzo!n2V!_HONy~31Fi|e!9;8# z+g7Y>GLy~@S{kA^u_7dp3kft85-_xmtoxyRyOWes4ogZ&YRT3dU?#${4D&!vk(6Rf z?<~dCT?Nw1W+AS0FC9D&M}vpakGrSG`4rexQOtOWhj$oa#GdWuOGI2TQ+Pu^{ zAhkK?ls4Bit^d~Ptfqo8WkXB$8knc_x{O7d9RL=%Hrtv3oTR5&pzU=2eZPD7KDZlx ndwTrzx>I}IS~-5Y-CuRP>^c1!?6(S^i~ZIgUDxDmQWgLJhW(tU literal 0 HcmV?d00001 diff --git a/submission_thesis/CH5_Examples/pt100_singlef.dia b/submission_thesis/CH5_Examples/pt100_singlef.dia new file mode 100644 index 0000000000000000000000000000000000000000..3aef3d54824d203544891887aba4c4206019572f GIT binary patch literal 766 zcmV)dY&yfL#cx!BA zJ4w0hZ(j#U!$-(>YblYihWBQk$1}tI!$(YwITn&|HZUQuO#`!lhlE7~^KJBe?U@h5 zi~EqETm6d!iVgh+lgp=pIaMmTwXDTr0ca|b;sQ`I0}@;R5T(e{MwU6eFpM%lh!k4x z6}w0&LHwD*2179(m_7>LBf)1ZG;^!MF5r|4V~*&+yqsjqv^}iHebk2y60a zZD=k;2Y8)MM~mV1y}sS+_TWmB!|D9*rK8_VC%%`C$Z^7j5{RfKrO!FVh~=zG%<%C% zGC)+P*tW1vh+;yN;ye7GAS(9>Am9GHZHM06NRV**#jRMhpe#tJrsIzp4VEAtW4_FLqV1dWafO*TRNk3I9y1K7dzUa8nndSwh<2eZP(_bPR|^6t5U;S5vs| z9qa+;3OWF~$I)Sm<8i)bf-4!Xc|U`KO0PT%v6qg6{ac9hSW zP1`h(&6^dw+GzUnHX6S?k6#~u|9om0Qnyt0wlRS-wTX1OZ%j~3XsUffOqzyN>9Pdr z(viRV3)4APBtYd#dAJ9S4Bn8%Ht_7~>Yheg&BZ1uyy^iwFP!000021MQq!Z`(E)hVSz$1m$jUX&yu!>N>?Xbm-MGwApn)+l;MM zmJEqb>YM%ck(3-CB`;$y%6@bCbVRl!7-gCt&pg7^Pr zNy7TFQQy6~aGdP`6DF8CRvl$Ri?}aRjWca zN~c$szj~MDDOCqHv6@cwpoo~Wd>W^99XU2hIS?3x7-KmYGzudacmZ0E$?N4tr>EE-r2tSuS!Gi@M|}%M#AgQdQ(j{&t;W%o1s_r@Cd(i@R8e?3wewV@dIn4wQ!< z@3z<8xzjwJJbmNtv^WsuA)biY?N3X?RYqS~ihds#@hIUmLu(Wjx`l)c4!HbYRLudkV z9@9>Bfh*!TY%JpY^}DSx$wvS1v8X!xU9fb*@`>}o`I02@Lf+|{JVa(8@nq;;!`%Vf z@1hJSSy&sfMfPYb0!YsTXnzpu2sspfG}@1z%RaDln((y(rcwgZK?qO}L4e;T#uGlj z9cOu3PZ5sQA1$FtQt#86A|42+LG&4qr!#Rlye|g|ZoQEIj97WFbdHggkg1g-;6>^} z`_!VFq==_P5FH>7;7Az?`P8PRO#Ah&U4>0ug#r+%;U~zZt(1!L753=>V-RRxdC01- zjC=O3jYUk2h2_=O&kADES5gFp3LfDAM*tH2{3AA9W!kNGZ7R<^ox(v+KA0kp+D)mj zQVAoKRKcK!5r7`Gn^zfj>|Ohcn&(yl(!-Ce=2pJ1ZRM-niXv?*WH+@k>()Ck)eZkC zwj6~jNBO3X@_^SPz-q2uNn$CIi#pLO7UJc|6RT}F}ue&Yo z^(pP&7@JceCxKC5JjsJV^TFyAPitThK{`N0&glcHz1I>VUH|pv&kjhofz)8cjz}#e zQfN%12oQw_n?NchAk-x%U;8d-2aa%;Af1RuH5+y~Y9Wpy<6%Ln2TMl6DY@bUD&#kknwr4oPi9 z5;{T|Ni9;@Eg}U9NF?-$sv`NmuUFzwxY-i@zh+XGC7q~@v}?o;NNog?@#ZB8d^w2< z0Kzsa+og&RD3M7LhFB@$AZS67^vlifsH2f>8a2AGBhpEU^f*vyDsNtinWA=!t$*Xp zB$z6DicD|vb~e8qx?z3C`d-i@;m>%B9YP@VmGfX^GbbxmeBecTWsgK90X^If0^*K< z*7LC@BX$IA4FS=a2xz6tJX9$`I%=>2S#mqSVsqW;jSe51a8 qrwwUfN52!Sgw!n9q3^7lQ_A=HtHZ7?cD`He>f%2bKLK!mQ~&_v6VA2( literal 0 HcmV?d00001 diff --git a/submission_thesis/CH5_Examples/pt100_tc_sp.dia b/submission_thesis/CH5_Examples/pt100_tc_sp.dia new file mode 100644 index 0000000000000000000000000000000000000000..50e022fa7d843ee000687a9af225ce54df6862e5 GIT binary patch literal 2002 zcmV;@2QBy?iwFP!000021MOW~Z`(E$e($dk+_%A{c@b}QlVTe>^kHa*HhT_aTXD3? zk|8Te{j%Ral2R^~WamQDsTLYY6D#!jc&JYw4-Ze+4pCR!N>64G@5XAkL=w zEXn3agTGJzcqaxQkKcTlCDD8JH7}w?pgxhU^t+?MMOiN2k4D$m*C1W5qB1W)np}ca zJo-0E(`cj`jRwbWg5bV^SyV>)T75Mt%OaUvmT{0pi}+|TiKgG@MShvh234!N-84`0 zBDjjuqruyA^BRn5GouYVJ8Unbc|0lN==*llP`#vlj_GAwG|euS`6^LO%Js62Q<7!lj3WD-H{ntj?BsQ5I2Bwjn2Zp2ksDp_avE{Cu3%G)fi4cDZHY#d%Ve`2+nw zkJ8m+9H=heK5b8Za_2=d+x_5fwAfLhXFnVbS7m+e$of^XN+xOC)%zqX_hx>* zAM?$-W7PZZH(TNXw;kS9y>7ArN(4! zAkt_Z7q$7{?xyLWzQMKP1ktoiu5RAl834C6 zib9gv(clDb4p`GgWl(8hYs8lMEv*P3bQm_rpsgU=tWPFQ)hX zib%+oND_o{7y`(sLoz9lP=g>kMj^n`@QG2EjI#CXRkI4)vI=n^_3#tql2#f;^9nOM z#u#wJs}MQmm9=NDnpnh^SXkX{qJ|$4hrCiCNNDj8V=MtAnpT*&WR88qR7w+xecxC z+`dL8yOu$kP!vk54Mw@L(JChdP zXxGRfe?@2CKA(I&-I7P%k$l;f$;-2{3s7GV&Z9+=u2sLHY&8g0vWX`C#02g&ahTxb-3r0;3O3mv{yP0}1IE5w)i0)NrpSigfbVr!QWR zTnkbM5xpYyP?3bSB1x0AW-bM(f`HJZoS5Mq?}r>=A0Qn_k6JYJa@0dPlGe#eTFpx? z_2>q}2$Hx7kb0v?K0rEzAaxMYD^d>?3GJb7KvJE%!%h?38bh%S>Kqb*29Weak%*6x z4kJk&MD&u>M@d3^NF(V@Dz`}_t_6t*Msya5F=lq+khm*|{;4&|M@a`tBW)7V3sN5i z$+~!n0*>jBgJ*AhJxY`+6b3?~f+S20BI3LULDDa$zay_kuGOfMgksz|p3m1XMT zRWh?`Jz_V%2`-c{)$}ZLQ{o-m{q|@e+V$!UqkED+>k>PJfMAAs(q&9mp(y>6W@nE` z!*(3vekdUJ3g|o@>ms68z}_ezdLae0t_Q^s5JNoTa#dQRFu+4P#)|8e0*10D3P`*H zI?vm85z#APZxj%}kOEp)E@P&%_j*N2U9N#^7zQZQo0o_f1thR1tKiTppmPQ6B%+tV z-bf&MAqiymSwI%jq5g9}?lcQnqY$n)OOej`Af<%3CqW?f66ih=*g-_EfW1+`@P!o6 zzP=v=C@SU=r#1e!I3zUNv#1h5D0&hHGB1M8bAjDl^fK5R8KjP7@XsXcJRn8%X*<}U zjI9y%Sf0h%%y{u+-y95qV%T)q>_^ubSx+&Vsylwxe40CsRNQ=$54h2{{j=zWHwon) zHVKg_@)XqVCLtn-XdFy*?N)^v0!aE$x#h!x18fntY3PH37cJYW-kT%!IuF?U5?=?^ zd(=E(@A=a_wyuoVM?&a4qtiKF3KR-GkrMTNEPz0Q;-O+ON5b`7-*&LwMgUHAci8`Q zp5ISQiIIIwDa~RAx(z9Xz{K27PH<@G#+kuI>IdhcW!uH=gcF``JNRZ@(t110F8L+^ zlafipw@~siVhT^6o`!&gkT~XBmx~<%gX)v#+e3WYM-8FWJGqV*2Z9i!iv|Tj*qkhi zH2pAu>bqmQb$Hm(C^X@zYU=0HU3{~y*g~OY;PUuHbv2<<^<6VgplU+JjJb~AI(_WS zl%lFjo^m@VXI&zrW)iE=<#CK-fN{xnSs<1ijWGn6S5vCs&ZpEa7dwm8u!xLtH( zd!QS09>FOPTHWw5CLlC3mwS$}hr>2(4v4pK|CP{;@1gLIo4>DDc#~X? z6{x_l%7bu-9W$=W#ZJcIYU%6=w|yf4i~Z;tc6(-5jbYBn(MPxIJBxdANY1zQVp-;k z_rb|!8RX}|SLImjcNU!QEVOy)Y+s@I!1{fKJt~ykLm8A_zGMJJI z3M$ZgPTmeT9TqMh7Ool=E?ZsQlvQ0NS-lH6Ez3MjiUzf=ZqvhYRE?Z^OJng#s ztf-IH{ljs(-~M*2dOv>Lkqu36z01Q~rYvP|Umg~>**smnLbK;>dV0EUo1MKj>)Y-2 zotWmWt;O0xnxJ*aw7u+gNl+5bvZhiG+PRi+j(^=gP_Rl&g=1Db=PNQGS z?~_L#M0+6F{Cx5iKA)`Z;pxt_4(`m>O}U|z1eBd<$)F|0HL0} z+=4p!)ttfN$fV?vq!G(LEg*sd;NsHsAVs5Wv|j-HS$Sab%FpBF(LpOT45;; zM61mVyrR)tZTh}R>(oALx8?u-eyIr>{XMH@w^<$a_`)wNAbs9QS=3#y=Kbhfvdr=a zeRoN*nnbJm!6=#WL;wD%0Y2*-qo0D4px&+f3um-qN;lJl+Z!M2oPi79ny%f$%9t76CB~ zd5oA|;)K%I3KJqfz9#+p&&w|np&0O>N51uFhlxRu1{I{uL=}ZLV68H%9V1)+Pjszy zsikIJT8BP*{9o19S9T4V&#*?&I1cP9+1b( zna2W1%P>xT@>rv^q>3>GP#PXf>XpZ?0}DJJkjLDW$C_2jzaDE8xz=NX02)A#od*_p zJRpySE00epz}UMU8x+y%F#>7;Id&dbpz(k-md@cF2AD!*DJFe}co-nn;*gj~KrN~k zW$884b01#d^NeakXPlXq$ArehGN z(HtlV&j(60Dxp9&e_-B|MBl2fW8H=gM~r-#^{+j z=l3w6uw4l$_UV|lFbqh_VhIGdn2e9dF~fR>f-w0Orfxb0Z5pFCIj7$s1ekYcX#=9Y zCG9AYF}X`5xJ$#N9(E8hXwn!p$vvft01oX6g}C3W=mv*rCrKcaSA`{OcC*N#hoD0{ zO;{4Zf;#z6jP9gl5UA1YX3=-r&2mo6!w@Joz`p((hXIbX8e#&dc}~Qrp&W}EMg#>l z^sk0JlniP(8Z~6^q=wGvok-cFVdD3>^9>3XF~)#EY|}5497)I;(l3Vb3cJV{RB((z zt8>0CmH-YBw61Y<&?;F>AfSzp21EWu(5Bb<7}RMrJ{o@~AI&}In*o9tvfT6gT<;o4 zi=kj9>s#YlT&%*WXVAlaNErliG=eDKNf4c%8NixzHcp^kJ;MeC1F3`7H6j~D$QtC& zyF1uL!JvI(EH?#@AV=6dN$gjP41}f|j4-M2IPuYA@o zfIvtkq^WYvu|h0H5O9gOt(2i};xK3v5nrXn+>Yt6k#-jbQ&gBcRqD|FJu5Q1WDJxmf)Tgw#cKuuZLgO8^6HuK(bb~Z&&D}q_f879HZ ze=IYnBQ$e%gd9PM1sT9=*9cfP)&qrz4X|p80dVai`?m7FVRkg7ra((@*?&+gXCt(7 z_d>5s$ER!~*wv&Swyq$%|^i zMv@d2gvhrL?T{~s&j`}DV1EnVfU%laABh=NM8^Cg6fUY7jw_2#lSv7$Ngr~S`3Ke^{*o6P|%@n`UN2x zqYxdVMl!J#Iz1OiHXs-%9B%-5(4wG4Jq!$DG)6JvM>xMzClq)-yps~669N>(kjE_~ s7lg>5MnR2sDHycqUA3sW&Xb3ABQM=38tu`fh$6*k2<2@>A-VH1ZHSHCMJm0>Ff8wEC{12s z>M?hAyS2pRWy@xk#A=v3uX$PBf89OLInQ&RbDr}**Z(@#b^WjF{D0^7{eFJeEq7N( zup(3u1OkDPP7WSG-vqRW3Y&oUw9zmh=;W{-j`kpWxArGsu<5*uqXX#M+Ed(8kqOLf z#yI(6K_DfywI&Cm67N>TOz9%~etTFKG4CTT%AhNFHzZEom`1&J&J@| z+=@VT)ri-Z4-Fy0+ye5M)6L?-peu#q%@^&ym2E!4kZS`&B7eoKw@`{hK(j^DIp?;` ztjH+&`Cin;?WraA?%hk9mXowsBGfMm8qe3}lGx=JLPPf?{npcS|6Y1}7!u*;YrcQK z5z^|=q3SOWMn5x7dwYi+LwGZaY!gk8R#sLfc-x##<06ixNFD*LmmvH4*=*z>wkDvJ z%jZK)Z;nqi8&*AfKaQ9QyDibMg` zHAKBbe@`eu3=7~)bwCsetuSnZ(7GF6bkjQDxgu{_}DZVEXk6Pz3IA# zUllgNT$Tt-AG!~j>Q-d?X=QPmR1SoEH$8n%hEor=EIJ_)skkYbNVwhN{>a5c58`fH zQ~?~KnMKM~zs{X%zDk~IeiW_kNS~0buA=Xas_(Up(gEbd7SFPywNWV4oA(#5WN8rh^^`FBR8M3}nbR$XPCZQFWAJJMZrG*qtJBRmS=O&^%xD;?-9 z|kdN-DRyEJ9Ze{ z!5q$~QVo{~w#{_>r7FeFx)0CjTpn+FN4Pur5JM;w*1d2w*y3!I>4!#th(6FJ%wJwv z=`=HIc=Dv!2S&Sc$koKp!T&B+Q^$`vxUZrw%m%-3Vg%!(rKLq2{`C%4O?o`5a|~f_ zUK$Ah!keg9R#yHfXo^aCP*+}?!a9fS9UmVLARc#fQ#CFXN5V?no#f@^`NP9Z-m9ls zhI2#U_Bz|{`yot^D3ju4nh<-GR1 zHm#~@WXK9T$JB2*^z(S$u`oenL|0draVEQe4xi_5&-m7iIZ!=2i`|&~g0w5BySqD! z9gIs%eEi~t-FPNMI?h_Re1{B5dA{RqqiJW|+RD;WypflMz7B*LwH}&kW@a`gB7Qq{ z$W2X6N&{OqiHu!9e;YL!Q${n}yEkk@n~?HCIyqUcFL_zMS-K0N@DhIKq4=ck9W3ve z-F6-gCig=OKMcN>Y(OFZ(#Tz!=H26Ciz^}9Qdg5&jdtzY!{oq~V*rm3+)UwPPq|?J zxaZjj!D*O=r+HrggxKc5HDMP%H?ty#o>P>tc=%8J^WA8t1gK3hAdQK zsiU#I0>L8y1O7FD=ufr0G#ElbCSz5v5Q)TErrFKoWqy8s32$d^UgYlj(j|#YJ*cD= z3Z(thn=;4C+Ky^!YN||AC7Z?dDJ9uSNgW?QRvK(w{1bilEPd&{j2!ZlG-2VwRKmUr zI9E2-sp(6mHbsfJbF*b{cH6|+tRL=tKV8rbysuK;i9z znZ}6D=|xSv#9?QNOqSS8-vjvIfa?HJy&r;F&g6(^3AO=)SZizRv+!-O_y`Q<3BwZ$ z)0o|v;l%Flwv0>sI?tGjgZ#k)Ah0#6wiUlf_sP+mo1YI$N-9)xMleT5g8-AuW~ZxS zOPm>>-vO#`sIT{&;g5`zXlQ5{$o|QS@B8{Si5>0joinqvS|DO&@t{H3JW-IK5%8l0 zfa0>UpHU}HsN+Y_W)(Sm10?OYHD8Hm`9k5T{SO9isOlmtEU3T|pi@BJ-Zf`Wt?FLG zs7cAkeAoSN!F(?h$(T`2ioO2!RDBj40f!fNr0Z&?gIVso)k`xZDaJL65x-f}80H(v zg<6%(jsDRl1+JF}1avRwh7TT(->R@7O?-xz9Y%Q-Y_7_*-=eVC0y8yT!&;2ce zY{-jw%4D9+3=BY{?>|ZSrD+~fcqrZjtvgCa`eK}aw=#<9i?xU&62Cpx z5kza7!eF~KZVwPp)^NWWJw=x&A;Hh8z;$AOzrzyNH}nxNZ;p*ms`1bULRg2a%=*`jP=0W;s($BDaSMVrv~m zLg4^F^iFzse_!9xH0Y`4VAWGvGyZ7wT-{)GPS*t&@=FxeqcDu3ym7zaa_`h!&f2g% z?UFU;^=qK;#=I%4-MhfSS$1&mK2%@lh5D`dxq!HJ#bTN`GFQL#2WyrFLPJA=5S}ra z+_le7W&#@J6dj(J;MEXUTfDu!=L%zfCrC}g1>6UgQE4m2Em`BY-5Zk(~fpl8qLE@B{u{{wxx{wB#qERK2?%-DTP8{doNN_z1%1lxJ}Q!r&gH zV*DQuLq3*`#-p1H%X)3V=NVVW%A-8Xl3;e92`l1DaXp&x`S(Q<-$(waXjQhG$6=gU z4?MgcUEb!8(YQ1--m>$C?G;~$St9uNX4AHOFxJNON+eaY%T=5PvPt&5+G)~YNBw@) zrfikUM$zKt@>l1wIHmHy##Y^lHiBeJo-BfB7e|gwSPTRL9zsYC24NnvsYBscz|ZccPnw3Su>P#c`a_TgvryEXeGp~6nSbubeD&(& z>b?1RM{g*sHBJw{Cx{@&PY;Xxz!&KrH`{L0VCk-GHr_Yt)pmytOmV0(S?3TTe-=q; z{?lffw#o}!DvrhHS@5ua_i9Yy*}r0*m7V=F;rU| z4WSEBJGdZ{S7o{_3^mfgeJKuZJBaiyew@}szWb;3dI=hD_|}?$uonVCteJlh0k$R} zbOF*&z_wjFJN{vSwy+@lnfPeix3{+a^Y9V%!bc{jE6t2#Yc`@zGu2^aY~P>rqoZNp zIk4|*5Q!T4;jZ*^b53Br{Br?j3{k~Bmr^ugfVq$|g^Mw32Rx6XXeuH<@5`}0?0F82 z?w9jb^%Ux|$fMX9`BR=G@nhAnkZ}E2o`xb?yv4LBH@&q{yUwME+h}p~Z#Q>(bZNzc}PqsSOd&Fr7 za;B3P`Z1H2+e1j{sznc*X`Z|sIe!p9T}4Qw<}GiQ<0 zvR7n*C0S@!ve;^|kVpmB$dnQT(TNL)N^=Nc9&L%3se#yY^Q+RPDWT4*1-9B%3Jbo* zkJcZ8tGW*h+jjh0L!H4JH|Lt}^u|$EhpdiUw|p6d&+-I$l#Z-4dseC}<+1qa7ZE;) zESU4x>X;+{rbDj^V>P+)sVy=Hg_vh+oA*Mv-`Ri<5kG`ciEU4or!yD(5|f{xCBNkK?g zqmu%Q3?f!C5~N##c0JEX&=4gEcF)>aezVNgo3#}nwpvhv6y_o33ZQ;oGXL@)fyk=5D-aaLX;Bq#v4TD_K!$n>+d+sQlm-w!=2X-iy;y4?s6ZH?MHq;S+1?pM7%1Nx_0z6?HBM;6Z-}X>*L|HVp9PWL zDyyOrU6onoXxOaR8y%{5J|jazl%XDq(6RdBirymh90JLtuy{3$5_F?N`U}phzGp;e zfFguC7n~!RGifbdPyjZas3%jhV8o}+=Zy3WQF>taG>qmun?k*L7|nMpASw|n@Q{%q zBSQ`TXQXI|QiQsvVx({dt+^N}lt?9G1spQjm{Fp7_cKB?L?P;2O^#Gv?&{r2H^(5r zkx5yB22DU@WT@Wxj0~N#3^i=Oh&or2d%*UJEpxrr+HjB-Q9wQ7K=sXYh!LE4z;P(V z`DVS?!mq=xeP@87Xr?N{G+$NB@ddc?(@T;LfTFBK~{|LoK7vJYMs@ALoXc5|`y58rMs{s$jl J9^w>s0007jlDYr@ literal 0 HcmV?d00001