diff --git a/introduction/introduction.tex b/introduction/introduction.tex index 7d53017..9ad54f6 100644 --- a/introduction/introduction.tex +++ b/introduction/introduction.tex @@ -207,7 +207,7 @@ Unlike a top~down analysis, we cannot miss a top level fault condition. In all safety critical real time systems the author has worked with all have repeated sections of hardware. for instance self checking digital inputs, analog inputs, sections of circuitry to -generate {\ft} loops, micro-processors with watchdog secondary +generate {\ft} loops, micro-processors with watchdog~\cite{embupsys}[pp.81] secondary circuity. In other words spending time on analysing these lower level sub-systems seems worthwhile, since they will be used in many designs, and are often @@ -699,7 +699,7 @@ can also exist. These can be checked for periodically. Software bugs are unpredictable. However there are techniques to validate software. -These include monitoring the program timings (with watchdogs and internal checking) +These include monitoring the program timings (with watchdogs~\cite{embupsys}[pp.81] and internal checking) applying validation checks (such as independent functions to validate correct operation). diff --git a/logic_diagram/logic_diagram.tex b/logic_diagram/logic_diagram.tex index 7855c29..7718510 100644 --- a/logic_diagram/logic_diagram.tex +++ b/logic_diagram/logic_diagram.tex @@ -85,6 +85,7 @@ for the analysis of safety critical software and hardware systems. { } + Propositional Logic Diagrams (PLDs) have been created to collect and simplfy fault~modes in safety critical systems undergoing static analysis.%\cite{sccs}\cite{en61508}. @@ -113,7 +114,7 @@ in a text editor or spreadsheet, a visual method is percieved as being more intu %in a PLD it means that the logical conditions represent disjuction; a boolean OR condition. %these points may be joined. -PLDs use three visual features that +PLDs use three visual features that can be combined to represent logic equations. Closed contours, test cases, and lines that link test cases. All features may be labelled, and the labels must be unique within a diagram, however contours may be repeated. @@ -446,6 +447,15 @@ Note that $P$ is considered to be an $SMG$ with one element, $ (a \wedge b) $ In failure analysis, this could be considered to be a functional~group with two failure states $a$ and $b$. The proposition $P$ considers the scenario where both failure~modes are active. +For base component level analysis, this would be considering two base component failures +simultaneously. At higher levels of failure mode abstraction, this could represent +sub-system failures, for instance two fuel shutdown safety valves failing to close. +% if paper +% more detail +% if chapter +% reference gas shutoff valve closure example +% + \clearpage \subsection { Logical XOR example } \begin{figure}[h] @@ -844,9 +854,13 @@ Some deterministic based safety standards are specifying that not only single component failure modes must be considered in analysis, but that the possibility of two component failing simultaneously must be considered. -EN298 states that if a burner controller is in `lock out' (i.e. has detected a fault +European Norm EN298~\cite{en298}[Sn.9] states that if a burner controller is in `lock out' (i.e. has detected a fault and has ordered a shutdown) a secondary fault cannot be allowed to put the equipement under control (the burner) into a dangerous state. -To cover this rigorously, we are bound to consider more than one fault being active at a time. +To cover this rigorously, we must consider all faults that can lead to a LOCKOUT condition +and then look for others that could put the system into a dangerous state after the LOCKOUT. +In practise, this would be a gigantic (as probably impossible task). +iWhat we can consider though, are all faults being double simultaneous in the FMMD +methodology, because we need only look for the double faults within each functional group. \paragraph{Covering Double faults in a PLD Diagram} Because we are allowed to repeat contours in a PLD diagram, we can arrange them in a matrix like configuration as in figure \ref{fig:doublesim}. diff --git a/mybib.bib b/mybib.bib index f1b5a7e..ce5d325 100644 --- a/mybib.bib +++ b/mybib.bib @@ -95,6 +95,12 @@ YEAR = "2002" } +@BOOK{embupsys, + TITLE = "Embedded Microprocessor Systems 3rd Edition ISBN 0-7506-75434-9", + AUTHOR = "Stuart R Ball", + PUBLISHER = "Newnes", + YEAR = "2002" +} @BOOK{alggraph, AUTHOR = "Alan Gibbons", diff --git a/pt100/pt100.tex b/pt100/pt100.tex index fe1e76c..3ea51e3 100644 --- a/pt100/pt100.tex +++ b/pt100/pt100.tex @@ -173,7 +173,8 @@ Where this occurs a circuit re-design is probably the only sensible course of ac The PT100 circuit consists of three resistors, two `current~supply' wires and two `sensor' wires. Resistors according to the European Standard EN298:2003~\cite{en298}[App.A] -, are considered to fail by either going OPEN or SHORT circuit. +, are considered to fail by either going OPEN or SHORT circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated, +and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}. %Should wires become disconnected these will have the same effect as %given resistors going open. For the purpose of this analyis; diff --git a/sw_model/sw_model.tex b/sw_model/sw_model.tex index 7315210..72da36c 100644 --- a/sw_model/sw_model.tex +++ b/sw_model/sw_model.tex @@ -142,7 +142,7 @@ These inputs and outputs connect to a process `bubble' representing the computing, or data transformation. -Data flow diagrams (DFDs) are directed graphs. +Data flow diagrams (DFDs) are directed graphs~\cite{embupsys}[pp.120]. The arcs represent data flow, and the bubbles represent procedures that transform data. A `bubble' can be further