From cc2fd46219f3fa530daf9a5a993165cd98977e5f Mon Sep 17 00:00:00 2001 From: Robin Date: Sat, 26 Jun 2010 12:59:11 +0100 Subject: [PATCH] edits in the morning --- fmmdset/fmmdset.tex | 43 +++++++++++++++++++++++++++------ logic_diagram/logic_diagram.tex | 9 +++---- 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/fmmdset/fmmdset.tex b/fmmdset/fmmdset.tex index b17ca4d..0eb31fc 100644 --- a/fmmdset/fmmdset.tex +++ b/fmmdset/fmmdset.tex @@ -129,10 +129,11 @@ at a higher abstraction level. \subsubsection{An algebraic notation for identifying FMMD enitities} Each component $C$ is a set of failure modes for the component. -We can define a function $\mathcal FM$ that returns the +We can define a function $FM$ that returns the set of failure modes $S$ for the component. -$$ \mathcal{FM}(C) \rightarrow S $$ +%$$ \mathcal{FM}(C) \rightarrow S $$ +$$ {FM}(C) \rightarrow S $$ We can indicate the abstraction level of a component by using a superscript. Thus for the component $C$, where it is a `base component' we can asign it @@ -182,11 +183,11 @@ $$ \bowtie( FG^0_1 ) = C^1_1 $$ to look at this analysis process in more detail. -By way of exqample applying $\mathcal{FM}$ to obtain the failure modes $f_N$ +By way of exqample applying ${FM}$ to obtain the failure modes $f_N$ - $$ \mathcal{FM}(C^0_1) = \{ f_1, f_2 \} $$ - $$ \mathcal{FM}(C^0_2) = \{ f_3, f_4, f_5 \} $$ + $$ {FM}(C^0_1) = \{ f_1, f_2 \} $$ + $$ {FM}(C^0_2) = \{ f_3, f_4, f_5 \} $$ The analyst now considers failure modes $f_{1..5}$ in the context of the functional group. @@ -196,7 +197,7 @@ We can now create a derived component $C^1_1$ with this set of failure modes. Thus: -$$ \mathcal{FM}(C^1_1) = \{ f_6, f_7, f_8 \} $$ +$$ {FM}(C^1_1) = \{ f_6, f_7, f_8 \} $$ We can represent this analysis process in a diagram see figure \ref{fig:onestage} @@ -452,8 +453,36 @@ simply be given a different index number and re-used. \subsection{ Multi Channel Safety Critical Systems } -Where a system has several independent parallel tasks, each one can be a separate hierarchy. +It is common in safety critical systems to use redundancy. +Two or sometimes three control systems will be assigned to the same process. +An arbittraion system, the arbiter, will decide which channel may control +the equipment. +Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy. +The FMMD trees for the channels can converge +up to a top hierarchy representing the arbiter (which is the sub-system that decides which control channels are valid). +This is commponly referred to as a multi-channel safety critical system. +Where there are 2 channels and one arbiter, the term 1oo2 is used (one out of two). +The Ericsson AXE telephone exchange hardware is a 1oo2 system, and the arbiter (the AMD) +can detect and switch control within on processor instruction. Should a hardware error +be detected,\footnote{or in a test plant environment more likely someone coming along and `borrowing' a cpu board from +your working exchange} the processor will side to the redundant side without breaking any telephone calls +or any being set up. An alarm will be raised to inform that this has happened, but the impact to +the 1oo2 system, is a one micro-processor instruction delay to the entire process. + +The premise here is that the arbiter should be able to determine which +of the two control channels is faulty and use the data/allow control from the non-faulty one. +1oo3 systems are common in highly critical systems. + +\paragraph{Fault mode mode of interfaces} +An advantage with FMMD in this case is that the interface between the channels and the +safety arbiter is not only defined functionally but as a failure model as well. +Thus failures in the interfacing between the safety arbiter and the +each channel is modelled. + +\paragraph{re-use of FMMD analysis} +Note that we can reuse the results from analysing one channel to model them all. +Identical channels will have the same high level failure modes. % \small % \bibliography{vmgbibliography,mybib} % \normalsize diff --git a/logic_diagram/logic_diagram.tex b/logic_diagram/logic_diagram.tex index 4b36bed..9adf610 100644 --- a/logic_diagram/logic_diagram.tex +++ b/logic_diagram/logic_diagram.tex @@ -501,9 +501,9 @@ It has three SMG's Q,R and P. Thus there are three ways in which this functional \vspace{0.3cm} \begin{tabular}{||c|c|l||} \hline \hline {\em $SMG$ } & {\em Failure Mode equation } & {\em comments } \\ \hline - Q & $(a)$ & T \\ \hline - P & $(b \oplus c)$ & T \\ \hline - R & $(b \wedge c)$ & F \\ \hline + Q & $(a)$ & Symptom Q is active when fault mode `a` is \\ \hline + P & $(b \wedge c)$ & Symptom P is active when `$b \wedge a$' is \\ \hline + R & $(b \oplus c)$ & Symptom R is active when either `b' or `c' is \\ \hline % T & T & T \\ \hline \hline \end{tabular} \vspace{0.3cm} @@ -831,8 +831,7 @@ volcanic ash intake, affecting all engines. Obviously the symptom of this multiple failure would be loss of propulsion and more importantly the loss of ability to maintain altitude. % and maybe even the APU ! -The test case AFE provides the system modeller to introduce this -possibility into the design. +The test case AFE represents the condition where all four engines have failed. \begin{figure}[h] \centering \includegraphics[width=400pt,bb=0 0 349 236,keepaspectratio=true]{logic_diagram/allfourengines.jpg}