robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OK went through my own proff reading process

Browse Source 
and its now 20:05 and I am getting a bit tired.
Better put it in git or perhaps loose
it due to a typo in a Makefile....
This commit is contained in:
Your Name 2012-04-12 20:05:07 +01:00
parent 72f166e76b
commit c050936f28
6 changed files with 287 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
papers/software_fmea/Makefile
View File

@ -6,6 +6,7 @@ PNG = fmmdh.png ct1.png hd.png ftcontext.png
all: ${PNG} all: ${PNG}
pdflatex software_fmea
pdflatex software_fmea pdflatex software_fmea
acroread software_fmea.pdf acroread software_fmea.pdf

311
submission_thesis/CH4_FMMD/copy.tex
View File

@ -1,7 +1,6 @@
\section{Copy dot tex} %%
%% CHAPTER 4 : Failure Mode Modular Discrimination
%%
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
@ -24,9 +23,11 @@ This chapter defines the FMMD process and related concepts and calculations.
Firstly, %what is meant by Firstly, %what is meant by
the terms the terms
components, failure~modes, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes are defined. components, failure~modes, derived~components, functional~groups, component fault modes and `unitary~state' component fault modes are defined.
%
The general concept of the cardinality constrained powerset is introduced The general concept of the cardinality constrained powerset is introduced
and calculations for it described, and then performance and calculations for it described, and then performance
calculations under `unitary state' fault mode conditions. calculations (comparing traditional FMEA and FMMD). % under `unitary state' fault mode conditions.
%
Data types and their relationships are described using UML. Data types and their relationships are described using UML.
Mathematical constraints and definitions are made using set theory. Mathematical constraints and definitions are made using set theory.
} }
@ -45,8 +46,10 @@ describes the data types and concepts for the Failure Mode Modular De-compositio
When analysing a safety critical system using When analysing a safety critical system using
this methodology, we need clearly defined failure modes for this methodology, we need clearly defined failure modes for
all the components that are used to model the system. all the components that are used to model the system.
%
In our model, we have a constraint that In our model, we have a constraint that
the component failure modes must be mutually exclusive. the component failure modes must be mutually exclusive within individual components.
This concept is later developed as the condition of `unitary state' fault modes.
When this constraint is complied with, we can use the FMMD method to When this constraint is complied with, we can use the FMMD method to
build hierarchical bottom-up models of failure mode behaviour. build hierarchical bottom-up models of failure mode behaviour.
%This and the definition of a component are %This and the definition of a component are
@ -94,7 +97,7 @@ to mean a part or a sub-assembly.
What components all have in common is that they can fail, and fail in What components all have in common is that they can fail, and fail in
a number of well defined ways. For common base-components a number of well defined ways. For common base-components
there is established literature for the failure modes for the system designer to consider (often with accompanying statistical there is established literature for the failure modes for the system designer to consider (often with accompanying statistical
failure rates)~\cite{mil1991}. For instance, a simple resistor is generally considered failure rates)~\cite{mil1991}~\cite{en298}~\cite{fmd91}. For instance, a simple resistor is generally considered
to fail in two ways, it can go open circuit or it can short. to fail in two ways, it can go open circuit or it can short.
Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$. Thus we can associate a set of faults to this component $ResistorFaultModes=\{OPEN, SHORT\}$.
The UML diagram in figure The UML diagram in figure
@ -114,13 +117,11 @@ each failure mode is referenced back to only one component.
%%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}. %%-%% The lower resistance part will draw more current and therefore have a statistically higher chance of failure.}.
A products are built using of many base-components and these are traditionally Controlled products are typically built using a large number of base-components and these are traditionally
kept in a `parts~list'. For a safety critical product this is usually a formal document kept in a `parts~list'.
and is used by quality inspectors to ensure the correct parts are being fitted. For a safety critical product this is usually a formal document and is used by quality inspectors to ensure the correct parts are being fitted.
The parts list is shown for %The parts list is shown for completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification and testing would want to know where it lies in the model.
completeness here, as people involved with Printed Circuit Board (PCB) and electronics production, verification The parts list is not actively used in the FMMD method, but is shown in the UML model for completeness.
and testing would want to know where it lies in the model.
The parts list is not actively used in the FMMD method.
For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components. For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a collection of components.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -132,10 +133,10 @@ For the UML diagram in figure \ref{fig:componentpl} the parts list is simply a c
Components in the parts list % (bought in parts) Components in the parts list % (bought in parts)
will be termed `base~components'. will be termed `base~components'.
Components derived from base~components will not always require Components derived from base~components (i.e. sub-assemblies) will not always require
parts~numbers\footnote{It is common practise for sub assemblies, PCB's, mechanical parts, parts~numbers\footnote{It is common practise for sub-assemblies, PCB's, mechanical parts,
software modules and some collections of components to have part numbers. software modules and some collections of components to have part numbers.
This is a production/configuration~control issue and linked to Bill of Material (BOM) This is a production/configuration~control issue and linked to Bill of Material (BOM)~\cite{opmanage}
database structures etc. Parts numbers for derived components are not directly related to the analysis process database structures etc. Parts numbers for derived components are not directly related to the analysis process
we are concerned with here.}, and will we are concerned with here.}, and will
not require a vendor reference, but must be named locally in the FMMD model. not require a vendor reference, but must be named locally in the FMMD model.
@ -158,7 +159,9 @@ internally. What we need to know are the symptoms of failure.
With these symptoms, we can trace their effects through the system under investigation With these symptoms, we can trace their effects through the system under investigation
and determine outcomes. and determine outcomes.
Different approval agenices may list different failure mode sets for the same generic components. Different approval agencies may list different failure mode sets for the same generic components.
This apparent anomaly is discussed in section~\ref{sec:determine_fms} using two common electronic components
as examples.
@ -177,8 +180,9 @@ Traditional static fault analysis methods work from the top down.
They identify faults that can occur in a system, and then work down They identify faults that can occur in a system, and then work down
to see how they could be caused. Some apply statistical techniques to to see how they could be caused. Some apply statistical techniques to
determine the likelihood of component failures determine the likelihood of component failures
causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its reverse, causing specific system level errors. For example the FMEA variant FMECA, uses
can be applied to specific failure modes in components and the probability of them causing given system level errors. Bayes theorem~\ref{probstat}[p.170]~\cite{nucfta}[p.74] (the relation between a conditional probability and its reverse)
and is applied to specific failure modes in components and their probability of causing given system level errors.
Another top down methodology is to apply cost benefit analysis Another top down methodology is to apply cost benefit analysis
to determine which faults are the highest priority to fix~\cite{bfmea}. to determine which faults are the highest priority to fix~\cite{bfmea}.
The aim of FMMD analysis is to produce complete failure The aim of FMMD analysis is to produce complete failure
@ -188,7 +192,7 @@ starting, where possible with known base~component failure~modes.
An advantage of working from the bottom up is that we can ensure that An advantage of working from the bottom up is that we can ensure that
all component failure modes must be considered. A top down approach all component failure modes must be considered. A top down approach
can miss individual failure modes of components~\cite{faa}[Ch.~9], can miss individual failure modes of components~\cite{faa}[Ch.~9],
especially where they are non obvious top-level faults. especially where there are non obvious top-level faults.
In order to analyse from the bottom-up, we need to take In order to analyse from the bottom-up, we need to take
small groups of components from the parts~list that naturally small groups of components from the parts~list that naturally
@ -203,13 +207,15 @@ and from this determine the failure modes of all the components that belong to i
% %
% expand 21sep2010 % expand 21sep2010
%The `{\fg}' as used by the analyst is a collection of component failures modes. %The `{\fg}' as used by the analyst is a collection of component failures modes.
The analysts interest is the ways in which the components within the {\fg} The analysts interest is in the ways in which the components within the {\fg}
can fail. All the failure modes of all the components within an {\fg} are collected. can fail.
As each component mode holds a set of failure modes, these set of sets of failure modes %
is converted into All the failure modes of all the components within an {\fg} are collected.
As each component mode holds a set of failure modes, the {\fg} represents a set of sets of failure modes.
We convert this
into a flat set into a flat set
of failure modes of failure modes for use in analysis.
(i.e. a set containing just failure modes not sets of failure modes). A flat set is a set containing just failure modes and not sets of failure modes~\cite{joyofsets}.
% %
Each of these failure modes, and optionally combinations of them, are Each of these failure modes, and optionally combinations of them, are
formed into `test cases' which are formed into `test cases' which are
@ -225,24 +231,26 @@ with its own set of failure modes.
\subsection{From functional group to newly derived component} \subsection{From functional group to newly derived component}
\label{fg} \label{fg}
The process for taking a {\fg}, considering The process for taking a {\fg}, analysing its failure mode behaviour considering
all the failure modes of all the components in the group, all the failure modes of all the components in the group,
and analysing it is called `symptom abstraction'. and collecting symptoms of failure, is termed `symptom abstraction'.
\ifthenelse {\boolean{paper}} \ifthenelse {\boolean{paper}}
{ {
} }
{ {
This This
is dealt with in detail in chapter \ref{symptom_abstraction}. is dealt with in detail using an algorithmic description, in section \ref{sec:symptom_abstraction}.
} }
% define difference between a \fg and a \dc % define difference between a \fg and a \dc
A {\fg} is a collection of components, a {\dc} is a new `theorectical' A {\fg} is a collection of components, a {\dc} is a new `theorectical'
component which has a set of failure modes, which component which has a set of failure modes, which
correspond to the failure modes of the {\fg} it was derived from. corresponds to the failure symptoms from the {\fg} from which it was derived.
We could consider a {\fg} as a black box, or component %
to use, and in this case it would have a set of failure modes. We consider a {\dc} as a black box, or component
Looking at the {\fg} in this way is seeing it as a {\dc}. for use.
%, and in this case it would have a set of failure modes.
%Looking at the {\fg} in this way is seeing it as a {\dc}.
In terms of our UML model, the symptom abstraction process takes a {\fg} In terms of our UML model, the symptom abstraction process takes a {\fg}
and creates a new {\dc} from it. and creates a new {\dc} from it.
@ -264,10 +272,10 @@ The UML representation (in figure \ref{fig:cfg}) shows a `functional group' hav
The symbol $\bowtie$ is used to indicate the analysis process that takes a The symbol $\bowtie$ is used to indicate the analysis process that takes a
functional group and converts it into a new component. functional group and converts it into a new component.
\begin{definition}
with $\mathcal{FG}$ represeting the set of all functional groups, and $\mathcal{DC}$ the set of all derived components, With $\mathcal{FG}$ represeting the set of all functional groups, and $\mathcal{DC}$ the set of all derived components,
this can be expresed as $ \bowtie : \mathcal{FG} \rightarrow \mathcal{DC} $ . this can be expressed as $$ \bowtie : \mathcal{FG} \rightarrow \mathcal{DC} $$ .
\end{definition}
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -279,29 +287,30 @@ this can be expresed as $ \bowtie : \mathcal{FG} \rightarrow \mathcal{DC} $ .
\subsection{Keeping track of the derived components position in the hierarchy} \subsection{Keeping track of the derived components position in the hierarchy}
\label{alpha} \label{sec:alpha}
The UML meta model in figure \ref{fig:cfg}, shows the relationships The UML meta model in figure \ref{fig:cfg}, shows the relationships
between the classes and sub-classes. between the entities used in FMMD.
Note that because we can use derived components to build functional groups, Note that because we can use derived components to build functional groups,
this model intrinsically supports building a hierarchy. this model intrinsically supports % building a
hierarchy.
% %
In use we will build a hierarchy of In use we will build a hierarchy of
objects, with derived~components forming functional~groups, and creating objects, functional~groups formed with derived~components, and after symptom~abstraction creating
derived components higher up in the structure. derived components yet higher up in the structure.
% %
To keep track of the level in the hierarchy (i.e. how many stages of component To keep track of the level in the hierarchy (i.e. how many stages of component
derivation `$\bowtie$' have lead to the current derived component) derivation `$\bowtie$' have lead to the current derived component)
we can add an attribute to the component data type. we can add an attribute to the component data type.
This can be a natural number called the level variable $\alpha \in \mathbb{N}$. This can be a natural number called the level variable $\abslev \in \mathbb{N}$.
% J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$. % J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$.
The $\alpha$ level variable in each component, The $\abslev$ level variable in each component,
indicates the position in the hierarchy. Base or parts~list components indicates the position in the hierarchy. Base or parts~list components
have a `level' of $\alpha=0$. have a `level' of $\abslev=0$.
% I do not know how to make this simpler % I do not know how to make this simpler
Derived~components take a level based on the highest level Derived~components take a level based on the highest level
component used to build the functional group it was derived from plus 1. component used to build the functional group it was derived from plus 1.
So a derived component built from base level or parts list components So a derived component built from base level or parts list components
would have an $\alpha$ value of 1. would have an $\abslev$ value of 1.
%\clearpage %\clearpage
@ -346,14 +355,15 @@ fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}
% \label{eqn:fminstance} % \label{eqn:fminstance}
%\end{equation} %\end{equation}
\paragraph{Finding all failure modes within the functional group} \paragraph{Finding all failure modes within the functional group.}
For FMMD failure mode analysis we need to consider the failure modes For FMMD failure % mode analysis %we need to consider the failure modes
from all the components in a functional~group. %from all the components in a functional~group.
In a functional group we have a collection of Components %In a functional group we have a collection of Components
that hold failure mode sets. %that hold failure mode sets.
We need to collect these failure mode sets and place all the failure we need to collect failure mode sets from the components and place them all
modes into a single set; this can be termed flattening the set of sets. %modes
into a single set; this can be termed flattening the set of sets.
%%Consider the components in a functional group to be $C_1...C_N$. %%Consider the components in a functional group to be $C_1...C_N$.
The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components The flat set of failure modes $FSF$ we are after can be found by applying function $fm$ to all the components
in the functional~group and taking the union of them thus: in the functional~group and taking the union of them thus:
@ -423,13 +433,14 @@ Electrical resistors can fail by going OPEN or SHORTED.
For a given resistor R we can apply the For a given resistor R we can apply the
function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
A resistor cannot fail with the conditions open and short active at the same time! The conditions A resistor cannot fail with the conditions open and short active at the same time,
that would be physically impossible! The conditions
OPEN and SHORT are thus mutually exclusive. OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
%
%
Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. %Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
%
The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $, The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
therefore therefore
$ fm(R) \in \mathcal{U} $. $ fm(R) \in \mathcal{U} $.
@ -467,33 +478,35 @@ we have banned larger combinations as well.
All components must have unitary state failure modes to be used with the FMMD methodology, All components must have unitary state failure modes to be used with the FMMD methodology and
for base~components, this is usually the case. Most simple components fail in one for base~components this is usually the case. Most simple components fail in one
clearly defined way and generally stay in that state. clearly defined way and generally stay in that state.
However, where a complex component is used, for instance a microcontroller However, where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made. of reduction into smaller theoretical components will have to be made.
This is sometimes termed `heuristic~de-composition'. This is termed `heuristic~de-composition'.
A modern microcontroller will typically have several modules, which are configured to operate on A modern micro-controller will typically have several modules, which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}. PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers~\cite{pic18f2523}.
For instance the voltage reading functions which consist For instance the voltage reading functions which consist
of an ADC multiplexer and ADC can be considered to be components of an ADC multiplexer and ADC can be considered to be components
inside the microcontroller package. inside the micro-controller package.
The microcontroller thus becomes a collection of smaller components The micro-controller thus becomes a collection of smaller components
that can be analysed separately~\footnote{It is common for the signal paths that can be analysed separately~\footnote{It is common for the signal paths
in a safety critical product to be traced, and when entering a complex in a safety critical product to be traced, and when entering a complex
component like a microcontroller, the process of heuristic de-compostion component like a micro-controller, the process of heuristic de-compostion
applied to it}. applied to it.}.
\paragraph{Reason for Constraint} Were this constraint to not be applied \paragraph{Reason for Constraint.} Were this constraint to not be applied
each component could not have $N$ failure modes to consider but potentially each component would not contribute $N$ failure modes to consider but potentially
$2^N$. This would make the job of analysing the failure modes $2^N$.
%
This would make the job of analysing the failure modes
in a {\fg} impractical due to the sheer size of the task. in a {\fg} impractical due to the sheer size of the task.
%Note that the `unitary state' conditions apply to failure modes within a component.
%%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos %%- Need some refs here because that is the way gastec treat the ADC on microcontroller on the servos
\section{Handling Simultaneous Component Faults} \section{Handling Simultaneous Component Faults}
@ -501,34 +514,47 @@ in a {\fg} impractical due to the sheer size of the task.
For some integrity levels of static analysis, there is a need to consider not only single For some integrity levels of static analysis, there is a need to consider not only single
failure modes in isolation, but cases where more then one failure mode may occur failure modes in isolation, but cases where more then one failure mode may occur
simultaneously. simultaneously.
%
Note that the `unitary state' conditions apply to failure modes within a component. Note that the `unitary state' conditions apply to failure modes within a component.
The scenarios presented here are where two or more components fail simultaneously. This does not preclude the possibility of two or more components failing simultaneously.
%
The scenarios presented deal with possibility of two or more components failing simultaneously.
%
It is an implied requirement of EN298~\cite{en298} for instance to It is an implied requirement of EN298~\cite{en298} for instance to
consider double simultaneous faults\footnote{This is under the conditions consider double simultaneous faults\footnote{Under the conditions
of LOCKOUT in an industrial burner controller that has detected one fault already. of LOCKOUT~\cite{en298} in an industrial burner controller that has detected one fault already.
However, from the perspective of static failure mode analysis, this amounts However, from the perspective of static failure mode analysis, this amounts
to dealing with double simultaneous failure modes.}. to dealing with double simultaneous failure modes.}.
%
To generalise, we may need to consider $N$ simultaneous To generalise, we may need to consider $N$ simultaneous
failure modes when analysing a functional group. This involves finding failure modes when analysing a functional group.
%
This involves finding
all combinations of failures modes of size $N$ and less. all combinations of failures modes of size $N$ and less.
%The Powerset concept from Set theory is useful to model this. %The Powerset concept from Set theory is useful to model this.
The powerset, when applied to a set S is the set of all subsets of S, including the empty set %
The power-set, when applied to a set S is the set of all subsets of S, including the empty set
\footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there \footnote{The empty set ( $\emptyset$ ) is a special case for FMMD analysis, it simply means there
is no fault active in the functional~group under analysis.} is no fault active in the functional~group under analysis.}
and S itself. and S itself.
In order to consider combinations for the set S where the number of elements in each subset of S is $N$ or less, a concept of the `cardinality constrained powerset' %
We augment the concept the power-set concept here to deal with counting the number of
combinations of failures to consider, under the conditions of simultaneous failures.
%
In order to consider combinations for the set S where the number of elements in
each subset of S is $N$ or less, a concept of the `cardinality constrained power-set'
is proposed and described in the next section. is proposed and described in the next section.
%\pagebreak[1] %\pagebreak[1]
\subsection{Cardinality Constrained Powerset } \subsection{Cardinality Constrained Powerset }
\label{ccp} \label{ccp}
A Cardinality Constrained powerset is one where subsets of a cardinality greater than a threshold A Cardinality Constrained power-set is one where subsets of a cardinality greater than a threshold
are not included. This threshold is called the cardinality constraint. are not included. This threshold is called the cardinality constraint.
To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$. To indicate this, the cardinality constraint $cc$ is subscripted to the powerset symbol thus $\mathcal{P}_{cc}$.
Consider the set $S = \{a,b,c\}$. Consider the set $S = \{a,b,c\}$.
The powerset of S: The power-set of S:
$$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$ $$ \mathcal{P} S = \{ \emptyset, \{a,b,c\}, \{a,b\},\{b,c\},\{c,a\},\{a\},\{b\},\{c\} \} .$$
@ -565,7 +591,7 @@ from $1$ to $cc$ thus
% %
\begin{equation} \begin{equation}
|{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ k! ( |{S}| - k)!} . |{\mathcal{P}_{cc}S}| = \sum^{cc}_{k=1} \frac{|{S}|!}{ cc! ( |{S}| - cc)!} . % was k in the frac part now cc
\label{eqn:ccps} \label{eqn:ccps}
\end{equation} \end{equation}
@ -733,17 +759,19 @@ associated with the test cases, complete coverage would be verified.
\section{Component Failure Modes and Statistical Sample Space} \section{Component Failure Modes and Statistical Sample Space}
%\paragraph{NOT WRITTEN YET PLEASE IGNORE} %\paragraph{NOT WRITTEN YET PLEASE IGNORE}
A sample space is defined as the set of all possible outcomes. A sample space is defined as the set of all possible outcomes.
For a component in FMMD analysis, this set of all possible outcomes is its normal correct For a component in FMMD analysis, this set of all possible outcomes is its normal--or--correct
operating state and all its failure modes. operating state and all its failure modes.
We are thus considering the failure modes as events in the sample space. We can consider failure modes as events in the sample space.
% %
When dealing with failure modes, we are not interested in When dealing with failure modes, we are not interested in
the state where the component is working perfectly or `OK' (i.e. operating with no error). the state where the component is working correctly or `OK' (i.e. operating with no error).
% %
We are interested only in ways in which it can fail. We are interested only in ways in which it can fail.
By definition while all components in a system are `working perfectly' By definition while all components in a system are `working~correctly'
that system will not exhibit faulty behaviour. that system will not exhibit faulty behaviour.
%
We can say that the OK state corresponds to the empty set. We can say that the OK state corresponds to the empty set.
%
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ %$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$ $$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
@ -753,10 +781,10 @@ $ fm(C) = \Omega(C) \backslash \{OK\} $
(or expressed as (or expressed as
$ \Omega(C) = fm(C) \cup \{OK\} $). $ \Omega(C) = fm(C) \cup \{OK\} $).
The $OK$ statistical case is the largest in probability, and is therefore The $OK$ statistical case is the (usually) the largest in probability, and is therefore
of interest when analysing systems from a statistical perspective. of interest when analysing systems from a statistical perspective.
This is of interest for the application of conditional probability calculations This is of interest for the application of conditional probability calculations
such as Bayes theorem~\cite{probstat}; such as Bayes theorem~\cite{probstat}.
The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian The current failure modelling methodologies (FMEA, FMECA, FTA, FMEDA) all use Bayesian
statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}. statistics to justify their methodologies~\cite{nucfta}\cite{nasafta}.
@ -769,7 +797,7 @@ all sets within $\Omega$ are partitioned.
Figure \ref{fig:partitioncfm} shows a partitioned set representing Figure \ref{fig:partitioncfm} shows a partitioned set representing
component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets component failure modes $\{ B_1 ... B_8, OK \}$ : partitioned sets
where the OK or empty set condition is included, obey unitary state conditions. where the OK or empty set condition is included, obey unitary state conditions.
Because the subsets of $\Omega$ are partitionned we can say these Because the subsets of $\Omega$ are partitioned we can say these
failure modes are unitary state. failure modes are unitary state.
\begin{figure}[h] \begin{figure}[h]
@ -797,7 +825,7 @@ create a derived component.
This technique is outside the scope of this paper. This technique is outside the scope of this paper.
} }
{ {
This technique is dealt in chapter \ref{fmmd_complex_comp} which shows how derived components may be assembled. %This technique is dealt in section \ref{sec:symtomabstraction} which shows how derived components may be assembled.
} }
\begin{figure}[h] \begin{figure}[h]
@ -870,16 +898,25 @@ We can express their probabilities as $P(B_4) = P(B_1 \cap B_3)$ and $P(B_5) = P
%%- %%-
\section{Complete UML Diagram} \section{Complete UML Diagram}
For a complete UML data model we need to consider the System In this section we examine the entities used in FMMD and their relationships.
as an object. This holds a parts list, and is the We have been building parts of the data structure up until now,
key reference point in the data structure. and we can now complete the picture.
For the complete UML data model we need to consider the System
as a data structure.
The `parts~list' is the
key reference point and starting point. % in the data structure.
Our base components are kept here.
From these the initial {\fgs} are formed, and from the {\fgs}
{\dcs}. Two other data types/entities are required however: we need to model environmental and operational states and
where they fit into the data structure.
A real life system will be expected to perform in a given environment. A real life system will be expected to perform in a given environment.
Environment in the context of this study Environment in the context of this study
means external influences the System could be expected to work under. means external influences the System could be expected to work under.
A typical data sheet for an electrical component will give A typical data sheet for an electrical component will give
a working temperature range for instance. a working temperature range for instance.
Mechanical components will be specified for stress and loading limits. Mechanical components could be specified for stress and loading limits.
\paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges, \paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
levels of electrical interference, high voltage contamination on supply levels of electrical interference, high voltage contamination on supply
@ -891,19 +928,28 @@ can be eliminated by down-rating of components as discussed in section~\ref{down
With given environmental constraints, we can therefore eliminate some failure modes from the model. With given environmental constraints, we can therefore eliminate some failure modes from the model.
\paragraph{Operational states.} \paragraph{Operational states.}
Within the field of safety critical engineering we often encounter Within the field of safety critical engineering we often encounter
sub-system that include test facilities. We also encounter degraded performance sub-system that include test facilities.
%
We also encounter degraded performance
(such as only performing functions in an emergency) and lockout conditions. (such as only performing functions in an emergency) and lockout conditions.
These can be broadly termed operational states, and apply to the These can be broadly termed operational states. %, and apply to the
functional groups. %functional groups.
%
We need to determine which UML class is most appropriate to hold a relationship
to operational states.
%
Consider for instance an electrical circuit that has a TEST line. Consider for instance an electrical circuit that has a TEST line.
When the TEST line is activated, it supplies a test signal When the TEST line is activated, it supplies a test signal
which will validate the circuit. This circuit will have two operational states, which will validate the circuit. This circuit will have two operational states,
NORMAL and TEST mode. NORMAL and TEST mode.
It is natural to apply the operational states to functional groups. %
It seems better to apply the operational states to functional groups.
%
Functional groups by definition implement functionality, or purpose Functional groups by definition implement functionality, or purpose
of particular sub-systems, and therefore are the best objects to model of particular sub-systems, and therefore are the best objects to model
operational states. operational states.% with.
\paragraph{Inhibit Conditions}
\paragraph{Inhibit Conditions.}
Some failure modes may only be active given specific environmental conditions Some failure modes may only be active given specific environmental conditions
or when other failures are already active. or when other failures are already active.
To model this, an `inhibit' class has been added. To model this, an `inhibit' class has been added.
@ -928,6 +974,7 @@ are added to UML diagram in figure \ref{fig:cfg} and represented in figure \ref
%% XXX bit of a loose end here, maybe delete this
\subsection{Ontological work on FMEA} \subsection{Ontological work on FMEA}
@ -1015,11 +1062,11 @@ as an argument and returns a newly created {\dc}.
%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}. %The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}.
The symptom abstraction process must always raise the abstraction level The symptom abstraction process must always raise the abstraction level
for the newly created {\dc}. for the newly created {\dc}.
Using $\abslevel$ to symbolise the fault abstraction level, we can now state: Using $\abslev$ (as described in~\ref{sec:alpha}) to symbolise the fault abstraction level, we can now state:
$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$ $$ \bowtie({\FG}^{\abslev}) \rightarrow c^{{\abslev}+N} | N \ge 1. $$
\paragraph{Functional Groups may be indexed} \paragraph{Functional Groups may be indexed.}
We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one) We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one)
we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index. we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index.
For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy. For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy.
@ -1050,13 +1097,16 @@ By applying stages of analysis to higher and higher abstraction
levels, we can converge to a complete failure mode model of the system under analysis. levels, we can converge to a complete failure mode model of the system under analysis.
Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms) Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms)
the number of symptoms is guaranteed to be less than or equal to the number of symptoms is guaranteed to be less than or equal to
the number of component failure modes. the number of component failure modes. This means the top level {\dc} in a hierarchy should have a number of {\fms} less than or equal
to the sum of {\fms} in its base components.
In practise however, the number of symptoms greatly reduces as we traverse In practise however, the number of symptoms greatly reduces as we traverse
up the hierarchy. up the hierarchy.
This is a natural process. When we have complicated systems The is echoed in real life systems, where the top level events/failures
they always have a small number of system failure modes in comparison to are always orders of magnitude smaller than sum of {\fms} in its base components.
the number of failure modes in its sub-systems/components.. %This is a natural process. When we have complicated systems
%they always have a small number of system failure modes in comparison to
%the number of failure modes in its sub-systems/components..
\section{Examples of Derived Component like concepts in safety literature} \section{Examples of Derived Component like concepts in safety literature}
@ -1064,27 +1114,30 @@ the number of failure modes in its sub-systems/components..
Idea stage on this section, integrated circuits and some compond parts (like digital resistors) Idea stage on this section, integrated circuits and some compond parts (like digital resistors)
are treated like base components. i.e. this sets a precedent for {\dcs}. are treated like base components. i.e. this sets a precedent for {\dcs}.
RE WRITE ---- concept is that some complicated components, like 741 are treated as simple components
in the literature.
\begin{itemize} \begin{itemize}
\item Look at OPAMP circuits, pick one (say $\mu$741) \item Look at OPAMP circuits, pick one (say $\mu$741)
\item Digital transistor perhaps, inside two resistors and a transistor. % \item Digital transistor perhaps, inside two resistors and a transistor.
\item outline a proposed FMMD analysis % \item outline a proposed FMMD analysis
\item Show FMD-91 OPAMP failure modes -- compare with FMMD % \item Show FMD-91 OPAMP failure modes -- compare with FMMD
\end{itemize} \end{itemize}
The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors % The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors
(and for some types of resistors OPEN only). % (and for some types of resistors OPEN only).
FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes. % FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes.
Now a resistor will generally only suffer parameter change when over stressed. % Now a resistor will generally only suffer parameter change when over stressed.
EN298 stipulates down rating by 60\% to maximum stress % EN298 stipulates down rating by 60\% to maximum stress
possible in a circuit. So even if you have a resistor that preliminary tells you would % possible in a circuit. So even if you have a resistor that preliminary tells you would
never be subjected to say more than 5V, but there is say, a 24V rail % never be subjected to say more than 5V, but there is say, a 24V rail
on the circuit, you have to choose resistors able to cope with the 24V % on the circuit, you have to choose resistors able to cope with the 24V
stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum % stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum
voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$. % voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$.
Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals. % Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals.
%
\clearpage % \clearpage
Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself. % Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself.
\subsection{{\fgs} Sharing components and Hierarchy} \subsection{{\fgs} Sharing components and Hierarchy}
@ -1115,11 +1168,11 @@ in figure~\ref{fig:shared_component}.
\label{fig:shared_component} \label{fig:shared_component}
\end{figure} \end{figure}
\subsection{Hierarchy and structure} % \subsection{Hierarchy and structure}
By having this structure, the logic circuit element, can accept failure modes from the % By having this structure, the logic circuit element, can accept failure modes from the
power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$. % power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$.
Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say. % Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say.
But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy. % But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy.
\pagebreak[4] \pagebreak[4]
\section{Defining the concept of `comparison~complexity' in FMEA} \section{Defining the concept of `comparison~complexity' in FMEA}
@ -1132,7 +1185,7 @@ But in order to process these failure modes it must be at a higher stage in the
When performing FMEA we have a system under investigation, which will When performing FMEA we have a system under investigation, which will
comprise of a collection of components which have associated failure modes. comprise of a collection of components which have associated failure modes.
The object of FMEA is to determine cause and effect: The object of FMEA is to determine cause and effect:
from the failure modes (the causes) to the effects (or symptoms of failure). from the failure modes (the causes, {\fms} of {\bcs}) to the effects (or symptoms of failure) at the top level.
% %
To perform FMEA rigorously To perform FMEA rigorously
we could stipulate that every failure mode must be checked for effects we could stipulate that every failure mode must be checked for effects
@ -1518,6 +1571,8 @@ For Functional Group 2 (FG2), let us map:
FS5 & \mapsto & S6 \\ FS5 & \mapsto & S6 \\
FS6 & \mapsto & S5 FS6 & \mapsto & S5
\end{eqnarray*} \end{eqnarray*}
Thus a derived component, DC2, has the failure modes defined by $fm(DC2) = \{ S4, S5, S6 \}$.
An example using the $Pt100$ circuit for double simultaneous failure analysis is given in section~\ref{sec:pt100}.
%This AUTOMATIC check can reveal WHEN double checking no longer necessary %This AUTOMATIC check can reveal WHEN double checking no longer necessary
%in the hierarchy to cover dub sum !!!!! YESSSS %in the hierarchy to cover dub sum !!!!! YESSSS

146
submission_thesis/CH5_Examples/copy.tex
View File

@ -3,6 +3,7 @@
This chapter demonstrates FMMD applied to This chapter demonstrates FMMD applied to
a variety of common electronic circuits. a variety of common electronic circuits.
In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.
\section{Basic Concepts Of FMMD} \section{Basic Concepts Of FMMD}
@ -60,7 +61,7 @@ Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mi
\subsection{Determining the failure modes of components} \subsection{Determining the failure modes of components}
\label{sec:determine_fms}
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail. In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
Typically when choosing components for a design, we look at manufacturers' data sheets, Typically when choosing components for a design, we look at manufacturers' data sheets,
which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave
@ -195,7 +196,8 @@ and thus subject to drift/parameter change.
%In a system designed to typical safety critical constraints (as in EN298) %In a system designed to typical safety critical constraints (as in EN298)
%these environmentally induced failure modes need not be considered. %these environmentally induced failure modes need not be considered.
\subsubsection{Resistor Failure Modes}
\label{sec:res_fms}
For this study we will take the conservative view from EN298, and consider the failure For this study we will take the conservative view from EN298, and consider the failure
modes for a generic resistor to be both OPEN and SHORT. modes for a generic resistor to be both OPEN and SHORT.
i.e. i.e.
@ -244,10 +246,10 @@ a signal may be lost.
We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
\paragraph{No Operation - over stress} \paragraph{No Operation - over stress}
Here the OP\_AMP has been damaged, and the output may be held HIGH LOW, or may be effectively tri-stated Here the OP\_AMP has been damaged, and the output may be held HIGH or LOW, or may be effectively tri-stated
, i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation). , i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation).
% %
We can map this failure cause to three symptoms, $LOW$, $HIGH$, $NOOP$. We can map this failure cause to three {\fms}, $LOW$, $HIGH$, $NOOP$.
\paragraph{Shorted $V_+$ to $V_-$} \paragraph{Shorted $V_+$ to $V_-$}
Due to the high intrinsic gain of an op-amp, and the effect of offset currents, Due to the high intrinsic gain of an op-amp, and the effect of offset currents,
@ -339,10 +341,18 @@ and determine its {\fms}.
%\clearpage %\clearpage
\subsubsection{Failure modes of an OP-AMP}
\label{sec:opamp_fms}
For the purpose of the examples to follow, the op-amp will
have the following failure modes:-
$$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
\subsection{Comparing the component failure mode sources} \subsection{Comparing the component failure mode sources}
The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures. The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
The FMD-91 entires for op-amps are not directly usable as The FMD-91 entires for op-amps are not directly usable as
component {\fms} in FMEA or FMMD and require interpretation. component {\fms} in FMEA or FMMD and require interpretation.
@ -350,10 +360,6 @@ component {\fms} in FMEA or FMMD and require interpretation.
%For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$) %For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$)
%is missing from the EN298 failure modes set. %is missing from the EN298 failure modes set.
For the purpose of the examples to follow, the op-amp will
have the following failure modes:-
$$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
% FMD-91 % FMD-91
% %
@ -441,7 +447,7 @@ We can now treat $AMP1$ as a pre-analysed, higher level component.
The amplifier is an abstract concept, in terms of the components. The amplifier is an abstract concept, in terms of the components.
To a make an `amplifier' we have to connect a a group of components To a make an `amplifier' we have to connect a a group of components
in a specific configuration. This specific configuration corresponds to in a specific configuration. This specific configuration corresponds to
a {\fg}. Our use of it as a building block corresponds to a {\dc}. a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
%What this means is the `fault~symptoms' of the module have been derived. %What this means is the `fault~symptoms' of the module have been derived.
@ -540,13 +546,14 @@ We can now create a {\dc} for the potential divider, $PD$.
$$ fm(PD) = \{ PDLow, PDHigh \}$$ $$ fm(PD) = \{ PDLow, PDHigh \}$$
Let us now consider the op-amp. According to %Let us now consider the op-amp. According to
FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
\subsection{Analysing the non-inverting amplifier in terms of failure modes} \subsection{Analysing the non-inverting amplifier in terms of failure modes}
From section~\ref{sec:opamp_fms}
$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
@ -1256,7 +1263,7 @@ could be easily detected; the failure symptom $FilterIncorrect$ may be less obs
%\section{Standard Non-inverting OP AMP} %\section{Standard Non-inverting OP AMP}
This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37]. This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37].
The circuit uses four 45 degree phase shifts, and an inverting amplifier to provide The circuit implements an oscillator using four 45 degree phase shifts, and an inverting amplifier to provide
gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift). gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift).
From a fault finding perspective this circuit is less than ideal. From a fault finding perspective this circuit is less than ideal.
@ -1751,6 +1758,7 @@ T%he block diagram in figure~\ref{fig
\clearpage \clearpage
\section{Pt100 Analysis: Double failures and MTTF statistics} \section{Pt100 Analysis: Double failures and MTTF statistics}
\label{sec:Pt100}
{ {
This section This section
% shows a practical example of % shows a practical example of
@ -1794,16 +1802,16 @@ diagrams to assist the reasoning process.
This chapter describes taking This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole. and producing a failure mode model for the circuit as a whole.
Thus after the analysis the Pt100 temperature sensing circuit, may be viewed Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
from an FMEA perspective as a component itself, with a set of known failure modes. from an FMEA perspective as a component itself, with a set of known failure modes.
} }
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png} \includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 four wire circuit} \caption{Pt100 four wire circuit}
\label{fig:pt100} \label{fig:Pt100}
\end{figure} \end{figure}
@ -1821,16 +1829,16 @@ look-up tables or a suitable polynomial expression.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png} \includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180 % Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{PT100 expected voltage ranges} \caption{Pt100 expected voltage ranges}
\label{fig:pt100vrange} \label{fig:Pt100vrange}
\end{figure} \end{figure}
The voltage ranges we expect from this three stage potential divider\footnote{ The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings} through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:pt100vrange}. Note that there is are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span. an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up. Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-} For this reason the low reading will be referred to as {\em sense-}
@ -1841,7 +1849,7 @@ and the higher as {\em sense+}.
For electronic and accuracy reasons, a four wire circuit is preferred For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply because of resistance in the cables. Resistance from the supply
causes a slight voltage causes a slight voltage
drop in the supply to the Pt100. As no significant current drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
@ -1853,12 +1861,12 @@ The current flowing though the
whole circuit can be measured on the PCB by reading a third whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing sense voltage from one of the load resistors. Knowing the current flowing
through the circuit through the circuit
and knowing the voltage drop over the PT100, we can calculate its and knowing the voltage drop over the $Pt100$, we can calculate its
resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$. resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy. does not impinge on accuracy.
The resistance to temperature conversion is achieved The resistance to temperature conversion is achieved
through the published Pt100 tables\cite{eurothermtables}. through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and The standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes. expected voltages for failure mode and temperature reading purposes.
@ -1879,7 +1887,7 @@ expected voltages for failure mode and temperature reading purposes.
\subsection{Safety case for 4 wire circuit} \subsection{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the PT100 four wire circuit This sub-section looks at the behaviour of the $Pt100$ four wire circuit
for the effects of component failures. for the effects of component failures.
All components have a set of known `failure modes'. All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways. In other words we know that a given component can fail in several distinct ways.
@ -1895,22 +1903,22 @@ Where this occurs a circuit re-design is probably the only sensible course of ac
\fmodegloss \fmodegloss
\paragraph{Single Fault FMEA Analysis of Pt100 Four wire circuit} \paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\label{fmea} \label{fmea}
The PTt00 circuit consists of three resistors, two `current~supply' The PTt00 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires. wires and two `sensor' wires.
Resistors according to the European Standard EN298:2003~\cite{en298}[App.A] Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A]
, are considered to fail by either going OPEN or SHORT circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, , are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. %and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as %Should wires become disconnected these will have the same effect as
%given resistors going open. %given resistors going open.
For the purpose of this analyis; For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor, $R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the PT100 thermistor and $R_{2}$ connects the thermistor to ground. $R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:pt100vrange}. Should we get a reading outside the safe green zone \ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault. in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault' Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'. and if below a `Low Fault'.
@ -1946,14 +1954,14 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
From table \ref{ptfmea} it can be seen that any component failure in the circuit From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'. should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{pt100range} on the effects of each test case are found in section \ref{Pt100range}
and \ref{pt100temp}. and \ref{Pt100temp}.
%\paragraph{Consideration of Resistor Tolerance} %\paragraph{Consideration of Resistor Tolerance}
% %
%The separate sense lines ensure the voltage read over the PT100 thermistor are not %The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current. %altered due to having to pass any significant current.
%The PT100 element is a precision part and will be chosen for a specified accuracy/tolerance range. %The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also %One or other of the load resistors (the one we measure current over) should also
%be of this accuracy. %be of this accuracy.
% %
@ -1961,21 +1969,21 @@ and \ref{pt100temp}.
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to %(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB. %a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}} %\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the PT100 element % (and thus derive its temperature), %To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current. %having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop. %Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables). %As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading %We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the PT100 we need the current flowing though it. %the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$, %We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.} %and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading %As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to %will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures. %take the mean square error of these accuracy figures.
\paragraph{Range and PT100 Calculations} \paragraph{Range and $Pt100$ Calculations}
\label{pt100temp} \label{Pt100temp}
Pt100 resistors are designed to $Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc} A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application. for a given application.
@ -1990,8 +1998,8 @@ As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus: the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+pt100}{2k2+2k2+pt100} $$ $$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+pt100} $$ $$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range, So by defining an acceptable measurement/temperature range,
and ensuring the and ensuring the
values are always within these bounds, we can be confident that none of the values are always within these bounds, we can be confident that none of the
@ -1999,8 +2007,8 @@ resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts: To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+pt100}{2k2+2k2+pt100} $$ $$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+pt100} $$ $$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
\begin{table}[ht] \begin{table}[ht]
@ -2030,7 +2038,7 @@ will detect it.
\paragraph{Consideration of Resistor Tolerance.} \paragraph{Consideration of Resistor Tolerance.}
% %
The separate sense lines ensure the voltage read over the Pt100 thermistor is not The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by to having to pass any significant current. The current is supplied altered by to having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative. out by considering the voltage reading over $R_3$ to be relative.
@ -2058,7 +2066,7 @@ will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{easp}. take the mean square error of these accuracy figures~\cite{easp}.
\paragraph{Single Fault FMEA Analysis of PT100 Four wire circuit} \paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\ifthenelse{\boolean{pld}} \ifthenelse{\boolean{pld}}
@ -2073,10 +2081,10 @@ and are thus enclosed by one contour each.
\fmodegloss \fmodegloss
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc.png} \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes} \caption{Pt100 Component Failure Modes}
\label{fig:pt100_tc} \label{fig:Pt100_tc}
\end{figure} \end{figure}
} % \ifthenelse {\boolean{pld}} } % \ifthenelse {\boolean{pld}}
@ -2173,38 +2181,40 @@ resistors in this circuit has failed.
{ {
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/pt100_tc_sp.png} \includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
% pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365 % Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{PT100 Component Failure Modes} \caption{Pt100 Component Failure Modes}
\label{fig:pt100_tc_sp} \label{fig:Pt100_tc_sp}
\end{figure} \end{figure}
} }
\subsection{Derived Component : The Pt100 Circuit} \subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. {\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
% %
\ifthenelse{\boolean{pld}} \ifthenelse{\boolean{pld}}
{ {
It can now be represnted as a PLD see figure \ref{fig:pt100_singlef}. It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_singlef.png} \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
% pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{PT100 Circuit Failure Modes : From Single Faults Analysis} \caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:pt100_singlef} \label{fig:Pt100_singlef}
\end{figure} \end{figure}
} }
%From the single faults (cardinality constrained powerset of 1) analysis, we can now create %From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\empt100circuit}. This has only \{ OUT\_OF\_RANGE \} %a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode. %as its single failure mode.
%Interestingly we can calculate the failure statistics for this circuit now. %Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for pt100) ??? %Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage %\clearpage
\subsection{Mean Time to Failure} \subsection{Mean Time to Failure}
@ -2487,14 +2497,14 @@ $$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double) As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults we can be confident that we have looked at all `double combinations' of the possible faults
in the pt100 circuit. The next task is to investigate in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
\paragraph{Proof of Double Faults Hypothesis } \paragraph{Proof of Double Faults Hypothesis }
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN } \paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{pt100:bothfloating} \label{Pt100:bothfloating}
This double fault mode produces an interesting symptom. This double fault mode produces an interesting symptom.
Both sense lines are floating. Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be. We cannot know what the {\adctw} readings on them will be.
@ -2613,7 +2623,7 @@ As a symptom $TC\_7$ could be described as $FLOATING$.
{ {
We can thus draw a PLD diagram representing the We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures, failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:pt100_doublef}. in figure \ref{fig:Pt100_doublef}.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -2633,13 +2643,13 @@ The Pt100 circuit again, can now be treated as a component in its own right, and
\ifthenelse{\boolean{pld}} \ifthenelse{\boolean{pld}}
{ {
It can now be represented as a PLD see figure \ref{fig:pt100_doublef}. It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/pt100_doublef.png} \includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
% pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194 % Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Double Faults Analysis} \caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
\label{fig:pt100_doublef} \label{fig:Pt100_doublef}
\end{figure} \end{figure}
} % \ifthenelse {\boolean{pld}} } % \ifthenelse {\boolean{pld}}
{ {

11
submission_thesis/mybib.bib
View File

@ -137,9 +137,18 @@
YEAR = "1992" YEAR = "1992"
} }
@BOOK{opmanage,
AUTHOR = "Roger Schroeder",
TITLE = "Operations Management: Contemporary Concepts and Cases ISBN: 978-0073403380",
PUBLISHER = "McGraw-Hill",
YEAR = "2010"
}
% Safeware: System safety and Computers
@BOOK{safeware, @BOOK{safeware,
AUTHOR = "Nancy Leveson", AUTHOR = "Nancy Leveson",
TITLE = "Safeware: System safety and Computers ISBN: 0-201-11972-2", TITLE = " Safeware: System safety and Computers ISBN: 0-201-11972-2",
PUBLISHER = "Addison-Wesley", PUBLISHER = "Addison-Wesley",
YEAR = "2005" YEAR = "2005"
} }

5
submission_thesis/style.tex
View File

@ -15,13 +15,14 @@
\setlength{\textwidth}{160mm} \setlength{\textheight}{220mm} \setlength{\textwidth}{160mm} \setlength{\textheight}{220mm}
\setlength{\oddsidemargin}{0mm} \setlength{\evensidemargin}{0mm} \setlength{\oddsidemargin}{0mm} \setlength{\evensidemargin}{0mm}
% %
\newcommand{\abslev}{\ensuremath{\alpha}}
\newcommand{\oc}{\ensuremath{^{o}{C}}} \newcommand{\oc}{\ensuremath{^{o}{C}}}
\newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}} \newcommand{\adctw}{{${\mathcal{ADC}}_{12}$}}
\newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}} \newcommand{\adcten}{{${\mathcal{ADC}}_{10}$}}
\newcommand{\ohms}[1]{\ensuremath{#1\Omega}} \newcommand{\ohms}[1]{\ensuremath{#1\Omega}}
\newcommand{\fm}{\em failure~mode} \newcommand{\fm}{\em failure~mode}
\newcommand{\fms}{\em failure~modes} \newcommand{\fms}{\em failure~modes}
\newcommand{\FG}{\ensuremath{\mathbb{G}}} \newcommand{\FG}{\ensuremath{{G}}}
\newcommand{\fg}{\em functional~group} \newcommand{\fg}{\em functional~group}
\newcommand{\fgs}{\em functional~groups} \newcommand{\fgs}{\em functional~groups}
\newcommand{\dc}{\em derived~component} \newcommand{\dc}{\em derived~component}
@ -35,7 +36,7 @@
\newcommand{\pic}{\em pair-wise~intersection~chain} \newcommand{\pic}{\em pair-wise~intersection~chain}
\newcommand{\wrt}{\em with~respect~to} \newcommand{\wrt}{\em with~respect~to}
\newcommand{\swf}{software~function} \newcommand{\swf}{software~function}
\newcommand{\abslevel}{\ensuremath{\Psi}} % DO NOT USE THIS ONE USE \abslev \newcommand{\abslevel}{\ensuremath{\Psi}}
\newcommand{\fmmdgloss}{\glossary{name={FMMD},description={Failure Mode Modular De-Composition, a bottom-up methodolgy for incrementally building failure mode models, using a procedure taking functional groups of components and creating derived components representing them, and in turn using the derived components to create higher level functional groups, and so on, that are used to build a failure mode model of a SYSTEM}}} \newcommand{\fmmdgloss}{\glossary{name={FMMD},description={Failure Mode Modular De-Composition, a bottom-up methodolgy for incrementally building failure mode models, using a procedure taking functional groups of components and creating derived components representing them, and in turn using the derived components to create higher level functional groups, and so on, that are used to build a failure mode model of a SYSTEM}}}
\newcommand{\fmodegloss}{\glossary{name={failure mode},description={The way in which a failure occurs. A component or sub-system may fail in a number of ways, and each of these is a \newcommand{\fmodegloss}{\glossary{name={failure mode},description={The way in which a failure occurs. A component or sub-system may fail in a number of ways, and each of these is a
failure mode of the component or sub-system}}} failure mode of the component or sub-system}}}

17
submission_thesis/titlepage/titlepage.tex
View File

@ -10,8 +10,17 @@
\vspace{2.15in} \vspace{2.15in}
{ \bf A proposed modularisation of Failure Mode Effects Analysis.} { \bf A methodology for the modularisation of Failure Mode Effects Analysis.}
\vspace{1.15in}
{
Modularising FMEA has benefits of rigor, re-usability of analysis
and the integration of hardware and software in failure effects modelling.
}
\vspace{1.15in} \vspace{1.15in}
{\LARGE \bf Brighton University } {\LARGE \bf Brighton University }
@ -22,10 +31,8 @@
\vspace{1.0in} \vspace{1.0in}
{\large Version 1.0 \today }
\vspace{0.2in} {\large Author : R.P. Clark - \today }
{\large Author : R.P. Clark - 2010 }
\end{center} \end{center}