Edits from notes in notebook
This commit is contained in:
parent
5f34b2c6e1
commit
c066ba127e
@ -207,7 +207,7 @@ Unlike a top~down analysis, we cannot miss a top level fault condition.
|
||||
In all safety critical real time systems the author has worked with
|
||||
all have repeated sections of hardware.
|
||||
for instance self checking digital inputs, analog inputs, sections of circuitry to
|
||||
generate {\ft} loops, micro-processors with watchdog secondary
|
||||
generate {\ft} loops, micro-processors with watchdog~\cite{embupsys}[pp.81] secondary
|
||||
circuity.
|
||||
In other words spending time on analysing these lower level sub-systems
|
||||
seems worthwhile, since they will be used in many designs, and are often
|
||||
@ -699,7 +699,7 @@ can also exist.
|
||||
These can be checked for periodically.
|
||||
Software bugs are unpredictable.
|
||||
However there are techniques to validate software.
|
||||
These include monitoring the program timings (with watchdogs and internal checking)
|
||||
These include monitoring the program timings (with watchdogs~\cite{embupsys}[pp.81] and internal checking)
|
||||
applying validation checks (such as independent functions to validate correct operation).
|
||||
|
||||
|
||||
|
||||
@ -85,6 +85,7 @@ for the analysis of safety critical software and hardware systems.
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
Propositional Logic Diagrams (PLDs) have been created
|
||||
to collect and simplfy fault~modes in safety critical systems undergoing
|
||||
static analysis.%\cite{sccs}\cite{en61508}.
|
||||
@ -113,7 +114,7 @@ in a text editor or spreadsheet, a visual method is percieved as being more intu
|
||||
%in a PLD it means that the logical conditions represent disjuction; a boolean OR condition.
|
||||
%these points may be joined.
|
||||
|
||||
PLDs use three visual features that
|
||||
PLDs use three visual features that
|
||||
can be combined to represent logic equations. Closed contours, test cases, and lines that
|
||||
link test cases.
|
||||
All features may be labelled, and the labels must be unique within a diagram, however contours may be repeated.
|
||||
@ -446,6 +447,15 @@ Note that $P$ is considered to be an $SMG$ with one element, $ (a \wedge b) $
|
||||
In failure analysis, this could be considered to be a functional~group with two failure states $a$ and $b$.
|
||||
The proposition $P$ considers the scenario where both failure~modes are active.
|
||||
|
||||
For base component level analysis, this would be considering two base component failures
|
||||
simultaneously. At higher levels of failure mode abstraction, this could represent
|
||||
sub-system failures, for instance two fuel shutdown safety valves failing to close.
|
||||
% if paper
|
||||
% more detail
|
||||
% if chapter
|
||||
% reference gas shutoff valve closure example
|
||||
%
|
||||
|
||||
\clearpage
|
||||
\subsection { Logical XOR example }
|
||||
\begin{figure}[h]
|
||||
@ -844,9 +854,13 @@ Some deterministic based safety standards are specifying
|
||||
that not only single component failure modes must be considered in
|
||||
analysis, but that the possibility of two component failing
|
||||
simultaneously must be considered.
|
||||
EN298 states that if a burner controller is in `lock out' (i.e. has detected a fault
|
||||
European Norm EN298~\cite{en298}[Sn.9] states that if a burner controller is in `lock out' (i.e. has detected a fault
|
||||
and has ordered a shutdown) a secondary fault cannot be allowed to put the equipement under control (the burner) into a dangerous state.
|
||||
To cover this rigorously, we are bound to consider more than one fault being active at a time.
|
||||
To cover this rigorously, we must consider all faults that can lead to a LOCKOUT condition
|
||||
and then look for others that could put the system into a dangerous state after the LOCKOUT.
|
||||
In practise, this would be a gigantic (as probably impossible task).
|
||||
iWhat we can consider though, are all faults being double simultaneous in the FMMD
|
||||
methodology, because we need only look for the double faults within each functional group.
|
||||
\paragraph{Covering Double faults in a PLD Diagram}
|
||||
Because we are allowed to repeat contours in a PLD diagram,
|
||||
we can arrange them in a matrix like configuration as in figure \ref{fig:doublesim}.
|
||||
|
||||
@ -95,6 +95,12 @@
|
||||
YEAR = "2002"
|
||||
}
|
||||
|
||||
@BOOK{embupsys,
|
||||
TITLE = "Embedded Microprocessor Systems 3rd Edition ISBN 0-7506-75434-9",
|
||||
AUTHOR = "Stuart R Ball",
|
||||
PUBLISHER = "Newnes",
|
||||
YEAR = "2002"
|
||||
}
|
||||
|
||||
@BOOK{alggraph,
|
||||
AUTHOR = "Alan Gibbons",
|
||||
|
||||
@ -173,7 +173,8 @@ Where this occurs a circuit re-design is probably the only sensible course of ac
|
||||
The PT100 circuit consists of three resistors, two `current~supply'
|
||||
wires and two `sensor' wires.
|
||||
Resistors according to the European Standard EN298:2003~\cite{en298}[App.A]
|
||||
, are considered to fail by either going OPEN or SHORT circuit.
|
||||
, are considered to fail by either going OPEN or SHORT circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
|
||||
and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
|
||||
%Should wires become disconnected these will have the same effect as
|
||||
%given resistors going open.
|
||||
For the purpose of this analyis;
|
||||
|
||||
@ -142,7 +142,7 @@ These inputs and outputs connect to a process `bubble'
|
||||
representing the computing, or data transformation.
|
||||
|
||||
|
||||
Data flow diagrams (DFDs) are directed graphs.
|
||||
Data flow diagrams (DFDs) are directed graphs~\cite{embupsys}[pp.120].
|
||||
The arcs represent data flow, and the bubbles
|
||||
represent procedures that transform data.
|
||||
A `bubble' can be further
|
||||
|
||||
Loading…
Reference in New Issue
Block a user