diff --git a/mybib.bib b/mybib.bib index be0a707..ee0b4d1 100644 --- a/mybib.bib +++ b/mybib.bib @@ -1136,6 +1136,13 @@ ISSN={0098-5589},} year = "1994" } +@MISC{tisallenkey, + author="Texas Instruments", + title = "Analysis of the Sallen Key architecture: Application report", + howpublished = "Available from http://www.ti.com/lit/an/sloa024b/sloa024b.pdf", + year="2002" +} + @MISC{challenger, author = "U.S. Presidential Commission", title = "Report of the SpaceShuttle Challanger Accident", diff --git a/submission_thesis/CH2_FMEA/copy.tex b/submission_thesis/CH2_FMEA/copy.tex index 9c2e7f8..7a627a3 100644 --- a/submission_thesis/CH2_FMEA/copy.tex +++ b/submission_thesis/CH2_FMEA/copy.tex @@ -72,7 +72,7 @@ and in a given environment. An `O' ring for instance can fail by leaking but if fitted to a water seal on a garden hose, the system level failure %is a would be a slight leak at the tap. % outside the house. % -Applied to the rocket engine on a space shuttle that same 'O' ring failure mode +Applied to the rocket engine on a space shuttle an 'O' ring failure could cause a catastrophic fire and destruction of the spacecraft and occupants~\cite{challenger}. % At a lower level, consider a resistor and capacitor forming a potential divider to ground. @@ -113,7 +113,7 @@ is shown in figure~\ref{fig:component_fm_rel}. The next stage is analysis, that is reasoning applied to the system in the event of a given failure mode. % -To perform how a failure +To analyse how a failure mode, after considering its effect on other components in the system, will translate to a system level symptom/failure. % @@ -251,7 +251,7 @@ their relationship to particular standards is presented below. Two common electrical components are used as examples, and examined against two sources of {\fm} information. % define their failure mode behaviour. % -These definitions for a given generic component may not always agree. +Failure mode definitions for a given generic component may not always agree. % The reasons why, some {\fms} can be found in one source, but not in the others and vice versa, are discussed. @@ -429,9 +429,9 @@ investigations. \fmmdglossOPAMP The symptom for this is given as a low slew rate. % -Slew rate for a circuit/component is the rate at which it changes an output voltage level (i.e. $\frac{\delta V}{\delta t} $). +Slew rate for a circuit/component is the maximum rate at which it can change an output voltage level (i.e. $\frac{\delta V}{\delta t} $). % -This means that the op-amp will not react quickly to changes on its input terminals. +A low slew rate will mean that the op-amp will not react quickly to changes on its input terminals. % % This is a failure symptom that may not be of concern in a slow responding system like an @@ -441,7 +441,7 @@ This failure cause can be mapped to a symptomatic {\fm} called $LOW\_SLEW$. \paragraph{No Operation - over stress.} Here the OP-Amp has been damaged, and the output may be held HIGH or LOW, or may be -effectively tri-stated, i.e. not able to drive circuitry in along the next stages of +effectively tri-stated, i.e. not able to drive circuitry along the next stages of the signal path: this {\fm} is termed NOOP (no Operation). % This failure cause thus maps to three {\fms}, $LOW$, $HIGH$, $NOOP$. @@ -494,7 +494,7 @@ $LOW\_SLEW$. \caption{LM358: EN298 Open and shorted pin failure symptom determination technique} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\ - \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\ + \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{FMEA component} \\ \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\ \hline @@ -734,7 +734,8 @@ the circuit behaviour is measured in finer granularity, % With this style of fault finding, because it is based on experiment, hopping from module to module eliminating working ones, until -failure is found~\cite{maikowski}, is effective. +failure is found~\cite{maikowski}, it is efficient in terms of +concentrating effort. % The rationale and work-culture of those tasked to perform FMEA are generally personnel who have performed fault finding~\cite{cbds}[p.97]. @@ -812,7 +813,7 @@ From a large system perspective, it may be found that {\bc} {\fms} may have more than one possible system event associated with them. % Often there will be a clear one to one mapping, but -probabilities to failure (as used in FMECA) +probabilities to failure (as used in FMECA, see section~\ref{sec:FMECA}) could mean one ({\fm}) too many (system level symptoms). % mapping. % \paragraph{Use of Markov chains to model failure modes.} @@ -1094,7 +1095,7 @@ Where $RD_{double}$ is the reasoning~distance for double failure scenarios: \end{equation} % For a theoretical system with 100 components and a fixed 3 failure modes each, this gives reasoning distance of -$100*99*98*3=2,910,600$. % failure mode scenarios. +$100 \times 99 \times 98 \times 3 = 2,910,600$. % failure mode scenarios. % In practise there is an additional complication here, that of the circuit topology changes that {\fms} can cause. @@ -1177,7 +1178,8 @@ An example PFMEA report is presented in table~\ref{tbl:pfmeareport}. \section{FMECA - Failure Modes Effects and Criticality Analysis} - \fmmdglossFMECA +\fmmdglossFMECA +\label{sec:FMECA} \paragraph{ FMECA - Failure Modes Effects and Criticality Analysis.} % \begin{figure} % \centering diff --git a/submission_thesis/CH3_FMEA_criticism/copy.tex b/submission_thesis/CH3_FMEA_criticism/copy.tex index 86cbb1c..da672dd 100644 --- a/submission_thesis/CH3_FMEA_criticism/copy.tex +++ b/submission_thesis/CH3_FMEA_criticism/copy.tex @@ -91,7 +91,7 @@ This means that the reasoning involved in determining the system level failure/s Ideally supporting documentation would give the reasoning and calculations behind each analysis case, but the structure of current FMEA reports does not encourage this. % -\paragraph{Re-use of FMEA analysis} +\paragraph{Re-use of FMEA analysis.} % Given the {\bc} {\fm} to system level failure mode paradigm it is difficult to re-use FMEA analysis. @@ -207,8 +207,8 @@ A small group of components performing a well defined function is termed a `{\fg}'. % Potentially, using {\fgs}, is a way of de-composing -the problem and reducing the $O(N^2)$ state explosion effect -associated with XFMEA. +the problem and reducing the $O(N^2)$---see equation~\ref{eqn:fmea_single}---state explosion effect associated with XFMEA. +% \fmmdglossSTATEEX % That is if the analysis problem can be broken into smaller steps, involving @@ -234,11 +234,12 @@ It is therefore desirable to reduce this order further. \section{Software and FMEA} Traditional FMEA deals only with electrical and mechanical components, i.e. it does not have provision for software. +% Modern control systems nearly always have a significant software/firmware element, and not being able to model software with current FMEA methodologies is a cause for criticism~\cite{safeware}[Ch.12]. % -Some techniques apply blanket estimates for a given software implementation, based +Some techniques apply blanket estimates for a given software implementation~\cite{safeware}[pp.156-9], based on the verification techniques applied in its testing, to aid calculation of system level reliability statistics~\cite{5492693}. %Even the traditionally conservative nuclear industry is now @@ -339,24 +340,29 @@ a master controller. % Most modern cars follow this information technology pattern and use CANbus~\cite{canspec,can}. % -For instance, in a modern car there will be no mechanical linkage from the pedal to the engine, instead the throttle pedal -will be linked to a sensor to determine how -far the pedal is pressed. +For instance, in a modern car there will be no mechanical linkage from the throttle pedal to the engine, instead the pedal +will be linked to a sensor to determine how far down it is pressed. % -This sensor will be read by a micro-controller, and passed, via CANbus, to the Engine Control Unit (ECU) +This sensor will be read by a micro-controller, and values passed via CANbus, to the Engine Control Unit (ECU) which will use that information (along with information from other sensors) to adjust the power required from the engine. % This adjustment could be direct, or could be another CANbus message passed to a micro-controller regulating engine function. % In terms of FMEA, see figure~\ref{fig:distcon}, our reasoning path spans (at least) four interface layers of electronics to software. % -Traditional FMEA does not cater for the software hardware interface, and this leads to the additional complications -%with the additional complications -of the communications protocol used to transmit data and the failure mode characteristics -of the communications physical layer. +Traditional FMEA does not cater for the software hardware interface and using +a distributed system means the signal path will +cross several hardware/software interfaces\footnote{The complications of introducing a +communications protocol and the failure mode characteristics of the communications +physical~layer must also be considered in a distributed system.}. +%of the communications physical layer.. % -This means the signal path will -cross several hardware/software interfaces. +%, and this leads on to the additional complications +%with the additional complications +%of the communications protocol used to transmit data and the failure mode characteristics +%of the communications physical layer. +% + % \fmmdglossSIGPATH %(figure~\ref{fig:distcon} @@ -402,7 +408,7 @@ A summary of deficiencies in current FMEA methodologies is listed below: Traditional forms of FMEA are no longer % fit for purpose! of meaningful use for complex modern systems especially those incorporating programmatic elements. They were designed to analyse simple electro-mechanical systems -and even common place large analogue circuits (that are usually physically small), are +and even common place high component count analogue circuits (that are usually surface mount and therefore physically small), are getting too complicated for meaningful analysis using FMEA. % % diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index c9b0db3..3688577 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -98,7 +98,7 @@ at the top of the hierarchy. The failure modes of the final or top {\dc} are the failure modes of the system under investigation. % -That is, the traditional FMEA process has be taken and modularised from the bottom-up. +That is, the traditional FMEA process has been taken and modularised from the bottom-up. %piss break down each stage of reasoning %into small manageable groups, and use the failure mode behaviour from them to create {\dcs} %to build higher level groups. @@ -107,8 +107,8 @@ In this way FMEA is applied incrementally to an entire system. %, with document \fmmdgloss % This has advantages of concentrating -effort in where modules interact (interfaces), of -being able to re-use work and savings in the complexity of performing +effort where modules interact (interfaces), +of being able to re-use work and savings in the complexity of performing FMEA (because the analysis is typically performed in several small stages thus avoiding state explosion). %A notation is then described to index and classify objects created in FMMD hierarchical models. @@ -117,10 +117,8 @@ thus avoiding state explosion). \section{Worked Example: Non-Inverting Amplifier} \label{sec:noninvamp} -%% here bring in sys safety paper from 2011 -%% -%% GARK BEGIN - +% +% The principles of FMMD are demonstrated, by using it to analyse a common circuit, the non-inverting amplifier built from an op amp~\cite{aoe}[p.234] and two resistors; a circuit schematic for this is shown in figure \ref{fig:noninvamp}. @@ -960,11 +958,11 @@ starting where possible with known base~component failure~modes. % % An advantage of working from the bottom up is that it can be ensured that -all component failure modes must be considered. +all component failure modes have been considered. % A top down approach (such as FTA) can miss~\cite{faa}[Ch.~9] individual failure modes of components, -especially where there are non-obvious top-level faults. +especially where there are non-obvious or unexpected top-level failures. % \fmmdglossFTA % @@ -979,7 +977,7 @@ and collecting symptoms of failure, is termed `symptom abstraction'. % \fmmdglossSA % -This is dealt with in detail using an algorithmic description, in appendix \ref{sec:algorithmfmmd}. +This is examined using an algorithmic description, in appendix \ref{sec:algorithmfmmd}. \fmmdglossFG \fmmdglossDC % % define difference between a \fg and a \dc @@ -1025,7 +1023,7 @@ A {\fg} will only be associated with one {\dc} and is given a one to one relatio % Each {\fg} will have one analysis report associated with it. % -The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one to one relationship with a derived~component. +The UML representation is shown in figure \ref{fig:cfg}. %) shows a `{\fg}' having a one to one relationship with a derived~component. % % %%% FORMAL DEF SLIGHTLY OUT OF PLACE HERE ---- J.HOWSE @@ -1128,7 +1126,7 @@ Also a detailed cause and effect model is useful for creating diagnostic schema -\paragraph{Keeping track of the derived components position in the hierarchy} +\paragraph{Keeping track of the derived components position in the hierarchy.} \label{sec:alpha} The UML meta model in figure \ref{fig:cfg}, shows the relationships between the entities used in FMMD. @@ -1146,7 +1144,7 @@ derivation %`$\derivec$' have led to the current derived component) we can add an attribute to the component data type. % -This can be a natural number called the level variable $\abslev \in \mathbb{N}$. +This can be a natural number called the level variable $\abslev \in \mathbb{N}_{0}$. % J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$. The $\abslev$ level variable in each component, indicates the position in the hierarchy. Base components diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 2d653dc..4b6d4f2 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -91,6 +91,7 @@ and then combining it with the OPAMP failure mode model. The second is to place all three components in one {\fg}. Both approaches are followed in the next two sub-sections. % +\clearpage \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} % Ideally the {\dcs} from the $PD$ from section~\ref{subsec:potdiv} would be re-used; on initial inspection it %at first glance, @@ -205,7 +206,7 @@ by forming a {\fg} with the OpAmp and the new {\dc} $IPD$. \end{table} % % -\clearpage +%\clearpage %%This gives the same results as the analysis from figure~\ref{fig:invampanalysis}. % % @@ -345,6 +346,7 @@ This concern is re-visited in the differencing amplifier example in the next sec % maybe do an ac amplifier later at some stage. % \begin{table}[h+] +\centering \caption{Inverting Amplifier: Single failure analysis: 3 components} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline @@ -635,7 +637,7 @@ for the second stage \end{figure} -\paragraph{First Order Low Pass Filter.} +\subsection{First Order Low Pass Filter} \label{sec:lp} % WEEEE ECUNT Starting with the first order low pass filter formed by $R10$ and $C10$. @@ -691,7 +693,7 @@ called $FirstOrderLP$. % Applying the $fm$ function yields: $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$ % -\paragraph{Addition of Buffer Amplifier: First stage.} +\subsection{Addition of Buffer Amplifier: First stage} % The op-amp IC1 is being used simply as a buffer. \fmmdglossOPAMP @@ -744,7 +746,7 @@ In terms of the circuit, the {\fgs} $FirstOrderLP$, and $LP1$ have been modelled. % These can be represented on the circuit diagram by drawing contours around the components -on the schematic as in figure~\ref{fig:circuit2002_LP1}. +on the schematic in figure~\ref{fig:circuit2002_LP1}. \begin{figure}[h] \centering @@ -756,8 +758,12 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}. \end{figure} -\paragraph{Second order Sallen Key Low Pass Filter.} -The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3. +\subsection{Second order Sallen Key Low Pass Filter} +% +The next two filters in the signal path are the component groups R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3. +% +These are Sallen Key low pass filters~\cite{tisallenkey}. +% From a failure mode perspective these are identical. % The first one can be analysed (see table~\ref{tbl:sallenkeylp}) and then these @@ -801,7 +807,7 @@ A derived component is created to represent the Sallen Key low pass filter, call $$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal . \} $$ % % -\paragraph{A failure mode model of Op-Amp Circuit 2.} +\subsection{A failure mode model of Op-Amp Circuit 2} % A {\dcs} representing the three stages of this filter is created following the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}). @@ -895,6 +901,7 @@ The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}. \label{tbl:fivepole} \end{table} % +\clearpage % A {\dc} is created to represent the circuit in figure~\ref{fig:circuit2}, called $FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole}) @@ -917,10 +924,14 @@ It is not surprising therefore that they have very similar failure modes. From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$ could be easily detected; the failure symptom $FilterIncorrect$ is not detectable. % +%\clearpage \subsection{Conclusion} This example shows the analysis of a linear signal path circuit with three easily identifiable {\fgs} and re-use of the Sallen-Key {\dc}. % +% +% +% \clearpage % \section{Quad Op-Amp Oscillator} @@ -1042,7 +1053,7 @@ the {\fg} for this analysis can be expressed thus: % %$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$ $$ G = \{ PHS45_1, NIBUFF_1, PHS45_2, NIBUFF_2, PHS45_3, NIBUFF_3, PHS45_4, INVAMP \} ,$$ -or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. +or in Euler diagram format in figure~\ref{fig:bubbaeuler1}. % HTR 23SEP2012 \begin{figure}[h+] % HTR 23SEP2012 \centering % HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png} @@ -1114,7 +1125,7 @@ It should be possible to determine smaller {\fgs} and refine the model further. \paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.} % The pre-analysed $NIBUFF$ and $PHS45$ -{\dcs} are used to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the +{\dcs} are used to form a {\fg}, analysed in appendix~\ref{tbl:buff45}, giving the {\dc} $BUFF45$. % %Thus, @@ -1129,7 +1140,7 @@ Together these apply a $135^{\circ}$ phase shift to the signal. This property is used to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter. % The three $BUFF45$ {\dcs} form a -{\fg} which is analysed in table~\ref{tbl:phs135buffered}. +{\fg} which is analysed in appendix~\ref{tbl:phs135buffered}. % The result of this analysis is the {\dc} $PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter. @@ -1140,7 +1151,7 @@ $PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shift A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.}, form a {\fg} -providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp} +providing an amplified $225^{\circ}$ phase shift, analysed in appendix~\ref{tbl:phs225amp} resulting in the {\dc} $PHS225AMP$. % Applying FMMD the {\dc} $PHS225AMP$ is created with the following failure modes: @@ -1198,7 +1209,8 @@ $$ % This has meant a drastic reduction in the number of failure-modes to check against components. %It has %also This more decomposed approach has -given us five {\dcs}, building blocks, which could % +given us five {\dcs}, %building blocks, +which could % potentially be re-used in other projects. %potentially be re-used for similar circuitry %to analyse in the future. @@ -1291,7 +1303,9 @@ and fed to the D type flip flop. % % The output of the flip flop is routed to the digital output and to the feedback loop. -It must be level converted, i.e. from digital logic voltage levels to analogue levels, before being fed to the analogue feedback. +% +It must be level converted, i.e. from digital logic voltage levels to analogue levels, before being fed to the analogue feedback/integrator. +% It is level converted to an analogue signal by IC3---i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage--- and fed into the summing integrator completing the negative feedback loop. % @@ -1333,7 +1347,7 @@ A CLOCK signal is required for the \sd. % For the purpose of example one failure mode is assigned to this, that it might stop. -The failure modes of the CLOCK, is stated thus: +The failure mode of the CLOCK, is stated thus: % $$ fm ( CLOCK ) = \{ STOPPED \}. $$ @@ -1536,7 +1550,7 @@ $$ FG = \{ FFB , BISJ \} .$$ The buffered {\sd} circuit is analysed using FMMD (see appendix~\ref{detail:SDADC}) giving a {\dc} $SDADC$ which provides a failure mode model for the \sd: -$$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\} . $$ +$$fm(SDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\} . $$ The {\dc} hierarchy is shown in figure~\ref{fig:eulersdfinal}. % \begin{figure}[h] @@ -1581,7 +1595,7 @@ This leads onto interfacing to software and digital~systems in the next chapter. % % -%\clearpage +\clearpage \section{Pt100 Analysis: FMMD and Double Failure Mode Analysis} \label{sec:Pt100} { @@ -1611,38 +1625,13 @@ It is analysed for both single and double failures, in addition it demonstrates FMMD coping with component parameter tolerances. % The circuit is described from a conventional safety perspective and then analysed using the FMMD methodology. - - -%A derived component, representing this circuit is then presented. - - +% +%A derived component, representing this circuit is then present The Pt100, or platinum wire \ohms{100} sensor is a widely used industrial temperature sensor that is slowly replacing the use of thermocouples in many industrial applications below 600\oc, due to high accuracy\cite{aoe}. % -%This section looks at the most common configuration, the -%four wire circuit, and analyses it from an FMEA perspective twice. -%FMMD is performed twice on this circuit -%firstly considering single faults only -%(cardinality constrained powerset of 1) -%and secondly, considering the -%possibility of double faults. % (cardinality constrained powerset of 2). -% -% \ifthenelse {\boolean{pld}} -% { -% The section is performed using Propositional Logic -% diagrams to assist the reasoning process. -% } -% { -% } -% -% This chapter describes taking -% the failure modes of the components, analysing the circuit using FMEA -% and producing a failure mode model for the circuit as a whole. -% Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed -% from an FMEA perspective as a component itself, with a set of known failure modes. -% } % \begin{figure}[h] \centering @@ -1662,9 +1651,9 @@ By measuring voltages from sections of this circuit forming potential dividers, the resistance of the platinum wire sensor can be determined. % -The resistance -of this is directly related to temperature, and may be determined by -look-up tables~\cite{eurothermtables} or a suitable polynomial expression. +%The resistance +%of this is directly related to temperature, and may be determined by +%look-up tables~\cite{eurothermtables} or a suitable polynomial expression. % % \begin{figure}[h] @@ -1677,7 +1666,7 @@ look-up tables~\cite{eurothermtables} or a suitable polynomial expression. % % The voltage ranges expected from this three stage potential divider\footnote{Two stages are required -for validation, a third stage is used to measure the current flowing +for validation, a third stage is necessary to measure the current flowing through the circuit to obtain accurate temperature readings.} are shown in figure \ref{fig:Pt100vrange}. % @@ -1691,8 +1680,8 @@ and the higher as {\em sense+}. \paragraph{Accuracy despite variable resistance in cables.} -For electronic and accuracy reasons, a four wire circuit is preferred -because of resistance in the cables. +%For electronic and accuracy reasons, a four wire circuit is preferred +%because of resistance in the cables. % Resistance from the supply causes a slight voltage @@ -1713,8 +1702,8 @@ through the circuit and knowing the voltage drop over the $Pt100$, its resistance is calculated by Ohms law $V=I.R$, $R=\frac{V}{I}$. % -Thus a little loss of supply voltage due to resistance in the cables -does not impinge on accuracy. +%Thus a little loss of supply voltage due to resistance in the cables +%does not impinge on accuracy. % The resistance to temperature conversion is achieved through the published $Pt100$ tables\cite{eurothermtables}. @@ -1785,11 +1774,11 @@ in the diagram, it will be considered a fault. Should the reading be above its expected range, this is a `High Fault' and if below a `Low Fault'. % -Table \ref{ptfmea} plays through the scenarios of each of the resistors failing +Table~\ref{ptfmea} plays through the scenarios of each of the resistors failing in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings. % -The range {0\oc} to {300\oc} will be analysed using potential divider equations to -determine out of range voltage limits in section~\ref{sec:ptbounds}. +The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs (see section~\ref{sec:ptbounds}), +and these used to validate the FMEA in table~\ref{ptfmea}. \begin{table}[ht] \caption{Pt100 FMEA Single Faults} % title of Table @@ -1817,15 +1806,15 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\ From table \ref{ptfmea} it can be seen that any component failure in the circuit should cause a common symptom, that of one or more of the values being `out of range'. % -Temperature range calculations and detailed calculations -on the effects of each test case are found in section \ref{Pt100range} -and \ref{Pt100temp}. +%Temperature range calculations and detailed calculations +%on the effects of each test case are found in section \ref{Pt100range} +%and \ref{Pt100temp}. \paragraph{Consideration of Resistor Tolerance} \label{sec:resistortolerance} % -The separate sense lines ensure the voltage read over the Pt100 thermistor are not -altered due to having to pass any significant current. +%The separate sense lines ensure the voltage read over the Pt100 thermistor are not +%altered due to having to pass any significant current. % The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. % @@ -1833,27 +1822,30 @@ One or other of the load resistors (the one that current is measured over) shoul be of this accuracy. The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-efficient -(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to -a narrow temperature range anyway, being mounted on a PCB. +(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and typically be subjected to +a narrow temperature range, being mounted on a PCB. %\glossary{{PCB}{Printed Circuit Board}} % To calculate the resistance of the Pt100 element % (and thus derive its temperature), -having the voltage over it, the current flowing through it must be measured. +the voltage over it is read +and with the current flowing through it, its resistance can be found. +%must be measured. % -For the sake of example, let be used $R_2$ to measure the current flowing in the temperature sensor loop. +Let $R_2$ be used to measure the current flowing in the temperature sensor loop. +% +%As the voltage over the Pt100 element $R_3$ is relative to % (a design feature to eliminate resistance effects of the cables), +%the current, can be calculated by reading +%the voltage over the known resistor +%$R_2$. % -As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables), -the current can be calculated by reading -the voltage over the known resistor -$R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. -This can be determined via Ohms law applied to $R_2$, $V=I R_2$, $I=\frac{V}{R_2}$, -and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.} As these calculations are performed by Ohms law, which is linear, the accuracy of the reading -will be determined by the accuracy of $R_2$ and $R_{3}$. +will be determined by the accuracy of $R_2$ and $R_{3}$\footnote{To calculate the resistance of the Pt100 we need the current flowing though it. +This can be determined via Ohms law applied to $R_2$, $V=I R_2$, $I=\frac{V}{R_2}$, +and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.}. %It is reasonable to %take the mean square error of these accuracy figures. -\paragraph{Range and $Pt100$ Calculations} +\paragraph{Range and $Pt100$ Calculations.} \label{Pt100temp} $Pt100$ resistors are designed to have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}. @@ -1875,8 +1867,8 @@ As the Pt100 forms a potential divider with the \ohms{2k2} load resistors, the upper and lower readings are calculated thus: % % -$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ -$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$ +$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} ,$$ +$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} .$$ % So by defining an acceptable measurement/temperature range, and ensuring the @@ -1888,9 +1880,9 @@ resistors in this circuit have failed. % To convert these to twelve bit ADC (\adctw) counts: % -$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$ +$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} , $$ % -$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$ +$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$ % % \begin{table}[ht] @@ -1955,7 +1947,7 @@ will detect it. % \ifthenelse{\boolean{pld}} { -\paragraph{Single Fault Modes as PLD} +\paragraph{Single Fault Modes as PLD.} % The component~failure~modes in table \ref{ptfmea} can be represented as contours on a PLD diagram. @@ -1983,7 +1975,7 @@ for the circuit shown in figure \ref{fig:vd}. % % % -\paragraph{Proof of Out of Range Values for Failures} +\paragraph{Proof of Out of Range Values for Failures.} \label{pt110range} % Using the temperature ranges defined above the voltages can be compared; @@ -1996,11 +1988,11 @@ There are six test cases and each will be examined in turn. With Pt100 at 0\oc: $$ highreading = 5V $$ Since the highreading or sense+ is directly connected to the 5V rail, -both temperature readings will be 5V.. -$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$ +both temperature readings will be 5V, +$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$ With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V $$ -$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$ +$$ highreading = 5V ,$$ +$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$ % Thus with $R_1$ shorted both readings are outside the proscribed range in table \ref{ptbounds}. @@ -2015,12 +2007,12 @@ proscribed range in table \ref{ptbounds}. \paragraph{ TC 3 : Voltages $R_2$ SHORT } % With Pt100 at 0\oc: -$$ lowreading = 0V $$ +$$ lowreading = 0V .$$ Since the lowreading or sense- is directly connected to the 0V rail, -both temperature readings will be 0V. -$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$ -With Pt100 at the high end of the temperature range 300\oc. -$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$ +both temperature readings will be 0V, +$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$ +With Pt100 at the high end of the temperature range 300\oc , +$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$ % Thus with $R_2$ shorted both readings are outside the proscribed range in table \ref{ptbounds}. @@ -2036,12 +2028,15 @@ Here the potential divider is simply between the two 2k2 load resistors. Thus it will read a nominal; 2.5V. % -Assuming the load resistors are -precision components, and then taking an absolute worst case of 1\% either way. +Because the readings here depend on the values of resistors $R_1$ and $R_2$ +resistor tolerance must be considered. % -$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$ +Assuming the load resistors are fairly typical in terms of precision +precision, taking an absolute worst case of 1\% either way: % -$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$ +$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V ,$$ +% +$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V .$$ % These readings both lie outside the proscribed range. Also the sense+ and sense- readings would have the same value. @@ -2080,7 +2075,12 @@ resistors in this circuit have failed. % \subsection{Derived Component with one failure mode.} The Pt100 circuit can now be treated as a component in its own right, and has one failure mode, -{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The detectability of a +{\textbf OUT\_OF\_RANGE} i.e.: + + +$$ fm(Pt100) = \{ {OUT\_OF\_RANGE} \} . $$ + +This is a single, detectable failure mode. The detectability of a fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$ has been developed for safety critical temperature measurement. % @@ -2145,7 +2145,7 @@ faults as FMMD test cases. TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline \hline - TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline + TC 9: & $R_1$ OPEN $R_3$ OPEN & Floating & low & Sense- out of range \\ \hline TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline \hline @@ -2194,8 +2194,8 @@ Thus both values will be out of range. % \paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN.} % -Sense- will be floating. -Sense+ will be tied to Vcc and will thus be out of range. +Sense+ will be floating. +Sense- will be tied to ground and will thus be out of range. % \paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT.} % @@ -2242,8 +2242,8 @@ Both values will be out of range. % \paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN.} % -This shorts the sense- to ground. -The sense- value will be out of range. +This shorts the sense- to ground, and sense+ to Vcc. +Both values will be out of range. % % \paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT.} @@ -2281,7 +2281,7 @@ not that all for a given cardinality constraint have been included. { } % -\paragraph{Symptom Extraction} +\paragraph{Symptom Extraction, forming a {\dc}.} % The results of the test case analysis can now be examined and symptom abstraction applied. % @@ -2312,10 +2312,12 @@ in figure \ref{fig:Pt100_doublef}. } % %\clearpage -\subsection{Derived Component : The Pt100 Circuit} +%\subsection{Derived Component : The Pt100 Circuit for double failures} \label{sec:Pt100floating} The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes, -{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}. +{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}, i.e. + +$$ fm(Pt100) = \{ {OUT\_OF\_RANGE}, {FLOATING} \} . $$ % \ifthenelse{\boolean{pld}} { diff --git a/submission_thesis/CH5_Examples/sigma_delta_block.dia b/submission_thesis/CH5_Examples/sigma_delta_block.dia index dbd8992..9df31b1 100644 Binary files a/submission_thesis/CH5_Examples/sigma_delta_block.dia and b/submission_thesis/CH5_Examples/sigma_delta_block.dia differ diff --git a/submission_thesis/CH6_Software_Examples/software.tex b/submission_thesis/CH6_Software_Examples/software.tex index a5df49e..c4b6d9e 100644 --- a/submission_thesis/CH6_Software_Examples/software.tex +++ b/submission_thesis/CH6_Software_Examples/software.tex @@ -46,7 +46,7 @@ That is to say, using FMMD, software functions are treated like {\fgs} of elect As software already fits into a hierarchy, there one less analysis decision to make when compared to analysing electronics. % -For electrical and mechanical systems, original designers +For electrical and mechanical systems, although the original system designers concepts of modularity and sub-systems in design may provide guidance, applying FMMD means deciding on the members for {\fgs} and the subsequent hierarchy. @@ -56,7 +56,7 @@ With software already written, the hierarchies are given. To apply FMMD to software, the elements used by a software function are collected, along with the function itself to form a {\fg}. % -When the failure mode behaviour of this {\fg} has been analysed and its failure mode symptoms collected, a {\dc} can be created. +When the failure mode behaviour of this software {\fg} has been analysed and its failure mode symptoms collected, a {\dc} can be created. % That {\dc} can be used by functions that call the function just analysed. @@ -255,18 +255,19 @@ value from the external equipment is read. Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$) representing the current detected; plus an additional error indication flag. % -Let us assume the {\ft} detection is via a \ohms{220} resistor, and that a voltage is read -from an ADC into the software. +From figure~\ref{fig:ftcontext} the {\ft} detection is via a \ohms{220} resistor and the a voltage is read +from an ADC into the software. % -Any value outside the 4mA to 20mA range can be defined as an error condition. +Because the signal is {\ft} +any value outside the 4mA to 20mA range can be defined as an error condition. % As voltage (rather than current) is read by an ADC, Ohms law~\cite{aoe} is used to determine the mA current detected: $V=IR$, $0.004A \times \ohms{220} = 0.88V$ and $0.020A \times \ohms{220} = 4.4V$. % -The acceptable voltage range\footnote{For the purpose of clarity we are ignoring resistor tolerance -for this example. In a practical {\ft} reader we would factor in resistor tolerance to the limits, or -allow `deadbands' of $\approx \half mA$ at either end of the range.} +The acceptable voltage range\footnote{For the purpose of clarity resistor tolerance has been ignored. +In a practical {\ft} reader resistor tolerance would be factored into the limits, or + `deadbands' of $\approx \half mA$ at either end of the range would be implemented.} is therefore $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ @@ -462,8 +463,8 @@ With these failure modes defined, analysis can begin on the {\fg} $G_1$, see tab \label{tbl:cmatv} \begin{tabular}{|| l | c | l ||} \hline \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ + \textbf{cause} & \textbf{Effect} & \textbf{ } \\ \hline \hline 1: $R_{OPEN}$ & resistor open, & $HIGH$ \\ & voltage on pin high & \\ \hline @@ -514,7 +515,7 @@ the function must be sent the correct channel number. % \fmmdglossCONTRACTPROG % -A violation of this can be considered a {\fm} of the function, +A violation of this can be considered a {\fm} for the function, which is termed $ CHAN\_NO $. % The reference voltage for the ADC has a 0.1\% accuracy requirement. @@ -543,8 +544,8 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine \caption{{\fg} $G_2$: Failure Mode Effects Analysis} % title of Table \label{tbl:radc} \begin{tabular}{|| l | c | l ||} \hline - \textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\ - \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ + \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ + \textbf{cause} & \textbf{Effect} & \textbf{} \\ \hline 1: ${CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\ & read & \\ \hline @@ -701,7 +702,7 @@ With this analysis a complete `reasoning~path' linking the failures modes from the electronics to those in the software has been created. % -Each functional group to {\dc} transition represents a +Each {\fg} to {\dc} transition represents a reasoning stage\footnote{Each of these reasoning stages, will have a reasoning distance associated with it, and because {\fgs} are generally small %we can apply XFMEA XFMEA can be applied @@ -828,32 +829,33 @@ variable power output~\cite{aoe}[p.360]). % PWM's ADC's and MUX's are commonly built into cheap micro-controllers~\cite{pic18f2523}[Ch.15]. % -The Yourdon diagram is refined, by adding detail to both the afferent data flow coming through the MUX and ADC on the micro-controller and the efferent -channelled through a PWM module. %again built into the micro-controller, -% + %and add more detail, see figure~\ref{fig:context_diagram2_PID}. \begin{figure}[h]+ \centering \includegraphics[width=400pt]{./CH5_Examples/context_diagram2_PID.png} % context_diagram_PID.png: 818x324 pixel, 72dpi, 28.86x11.43 cm, bb=0 0 818 324 - \caption{Yourdon Context Diagram for PID Temperature Controller.} + \caption{Yourdon data flow diagram for PID Temperature Controller identifying initial processing nodes.} \label{fig:context_diagram2_PID} \end{figure} % +\clearpage +% The Yourdon methodology provides model refinement, by zooming into data transform bubbles, analysing them in more depth and creating more paths and transform bubbles which further define the data flow and processing. % required. % +The Yourdon diagram is refined, by adding detail to both the afferent data flow coming through the MUX and ADC on the micro-controller and the efferent +channelled through a PWM module. %again built into the micro-controller, +% This next stage of model refinement is shown in figure~\ref{fig:context_diagram2_PID}. % -The controlling software is defined, by looking at or zooming into transform bubbles -and refining them by adding detail. -% -Following the data streams through the process, additional transform bubbles are created as required. +The controlling software is then further refined, by looking at or zooming into transform bubbles +and adding more detail i.e. following the data streams through the process, additional transform bubbles are created as required. % The lines connecting the `transform~bubbles' define the data passed between them. % -When the data transform analysis is finished, each transform bubble represents a software function. +When the data flow analysis is finished, each transform bubble represents a software function. % Because the connecting lines define the data passed between transform bubbles, the inputs and outputs of the associated software functions are also defined. @@ -885,7 +887,7 @@ functions should be called to control the process, or in `C' terms be the main f \centering \includegraphics[width=400pt]{./CH5_Examples/context_software.png} % context_software.png: 1023x500 pixel, 72dpi, 36.09x17.64 cm, bb=0 0 1023 500 - \caption{Context diagram of the software in the PID temperature controller} + \caption{Final Yourdon data flow diagram which has defined the software functions for the PID temperature controller} \label{fig:contextsoftware} \end{figure} % @@ -904,7 +906,7 @@ this is clearly going to be the monitor function. \centering \includegraphics[width=300pt]{./CH5_Examples/context_calltree.png} % context_calltree.png: 800x783 pixel, 72dpi, 28.22x27.62 cm, bb=0 0 800 783 - \caption{Software yourdon diagram converted to programatic call tree.} + \caption{Software: Yourdon data flow diagram converted to programatic call tree.} \label{fig:context_calltree} \end{figure} % @@ -1025,8 +1027,9 @@ Identified Software Components: % % With the call tree structure defined (see figure~\ref{fig:context_calltree}), -hierarchy compatible with FMMD for analysis is obtained. -However, it is only the top, the software, part of the hierarchy. +a hierarchy compatible with FMMD for analysis has been obtained. +% +However, it is only the top, i.e. the software, part of the hierarchy. % FMMD is a bottom-up process thus start at the lowest level, i.e. the electronics. % @@ -1044,10 +1047,11 @@ Staring with the afferent data flow for the temperature readings, the lowest level in the hierarchy is found, the Pt100 sensor. %with the software, and consider the hardware elements %used (if any) by each software function. -Starting at the bottom, a {\fg} is formed with +%Starting +Beginning at the bottom, a {\fg} is formed with the function \cf{read\_ADC} and the Pt100. This gives a {\dc}, %which we call -`Read\_Pt100'. +`Read\_Pt100' (see appendix~\ref{sec:readPt100}). % % % @@ -1103,7 +1107,7 @@ Following the afferent flow further, the function to determine the control error % This is simply the target temperature subtracted from that measured by the sensor. % -A {\fg} is formed with our newly {\dc} Get\_Temperature +A {\fg} is formed with the newly {\dc} Get\_Temperature and the function \cf{determine\_set\_point\_error}. % The pre-condition for \cf{determine\_set\_point\_error} is that the temperature read by it @@ -1161,7 +1165,7 @@ it is the calling function that sets the context for the \cf{PID} function (i.e % % % -The {\dc} PID is created, with the following failure modes: +The {\dc} PID is created, see table~\ref{tbl:pidfunction}, with the following failure modes: % $$ fm(PID) = \{ KnownControlValueErrorV, IncorrectControlErrorV \} .$$ % @@ -1203,7 +1207,7 @@ to implement the power output demand. % % % -A {\dc} is created called HeaterOutput +A {\dc} is created called HeaterOutput, see table~\ref{tbl:heateroutput}, with the following failure modes: $$fm(HeaterOutput) = \{ HeaterOnFull, HeaterOff, HeaterOutputIncorrect \} .$$ % @@ -1322,7 +1326,7 @@ The PID temperature control example above, shows that complete hybrid software/e modelled using FMMD. % The analysis has revealed system level failure modes that are un-handled and some that are undetectable. -The FMMD model can be traversed from undesirable top level failures to the {\bc} {\fms} that are the cause. +The FMMD model can be traversed from undesirable top level failures to the {\bc} {\fms} that are the causes. \fmmdglossOBS % This means that by using FMMD, the sub-systems which require @@ -1333,7 +1337,7 @@ SIL levels, make this a desirable feature of any FMEA based methodology. % For the failure modes caused by electronics, reliability statistics can be applied, and the possibilities of using higher rated -components instead of expensive re-design can be simulated/modelled. +components instead of potentially expensive re-design can be simulated/modelled. % For software errors, it may be necessary to provide extra functions to provide self checking. % diff --git a/submission_thesis/CH7_Evaluation/copy.tex b/submission_thesis/CH7_Evaluation/copy.tex index 2a37d2c..535c42f 100644 --- a/submission_thesis/CH7_Evaluation/copy.tex +++ b/submission_thesis/CH7_Evaluation/copy.tex @@ -19,7 +19,7 @@ complexity of applying FMEA to a group of components. These formulae are then used for a hypothetical example, which is analysed by both FMEA and FMMD. % %After analysing hypothetical examples, the -The hypothetical example gives a general formula, which shows that the reasoning distance +The hypothetical example leads to a general formula, which shows that the reasoning distance goes from a polynomial to a logarithmic order comparing XFMEA with FMMD. % %This means that for @@ -146,7 +146,7 @@ Using the language developed in the previous chapters, a system for analysis is considered as a collection %{\fg} of components. % -This is a set of components as $G$, and the number of components in it +This is a set of components $G$, and the number of components in it $ | G | $. %, %(an indexing and sub-scripting notation to identify particular {\fgs} %within an FMMD hierarchy is given in section~\ref{sec:indexsub}). @@ -171,7 +171,7 @@ The number of potential failure modes of a component, $c$, is $ | fm(c) | .$ Indexing the components in the system under investigation $ c_1, c_2 \ldots c_{|G|} $ allows expression of the number of checks required to exhaustively % rigorously examine every -failure mode against all the other components in a system in equation~\ref{eqn:CC}. +failure mode against all the other components in a system (see equation~\ref{eqn:CC}). % Comparison Complexity can be represented by a function $CC$, with its domain as $G$, and its range as the number of checks---or reasoning stages---to perform to satisfy an XFMEA inspection. @@ -252,7 +252,7 @@ The {\fg} with the potential divider and the operational amplifier has an $\alph % \end{equation} -An FMMD hierarchy will have reducing numbers of {\fgs} the hierarchy is traversed upwards. +An FMMD hierarchy will have reducing numbers of {\fgs} as the hierarchy is traversed upwards. % In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to all {\fgs} on each level. @@ -309,9 +309,9 @@ i.e. a {\fg} with two components, one with four failure modes and the other (th $$CC(invamp) = 2 \times 1 + 4 \times 1 = 6 . $$ % The two calculated complexities are added to determine the -amount of reasoning paths to analyse the amplifier using FMMD. +number of reasoning paths to analyse the amplifier using FMMD. % -The potential divider has a $CC$ of four and the amplifier section a $CC$ of six. +The potential divider has a {\cc} of four and the amplifier section a {\cc} of six. % To analyse the inverting amplifier with FMMD it required 10 reasoning stages. % @@ -417,7 +417,7 @@ Using the diagram in figure~\ref{fig:three_tree}, there are three levels of anal Starting at the top, there is a {\fg} with three derived components, each of which has three failure modes. % -Thus the number of checks to make in the top level is $3^0\times3\times2\times3 = 18$. +Thus the number of checks to make, or {\cc}, in the top level is $3^0\times3\times2\times3 = 18$. % On the level below that, there are three {\fgs} each with an identical number of checks, $3^1 \times 3 \times 2 \times 3 = 56$. %{\fg} @@ -487,17 +487,18 @@ $$ % For FMMD (where within {\fgs} the analysis \textbf{is exhaustive}) it only requires 720 reasoning paths. - - - +% +% +% \subsubsection{Plotting XFMEA and FMMD reasoning distance} Using the gnuplot utility~\cite{gnuplot,Janert:2009:GAU:1631269} and implementing equation~\ref{eqn:fmea_state_exp22} for -XFMEA and equation~\ref{eqn:anscen} for FMMD reasoning distances and using a logarithmic axis for reasoning distance -comparison is performed graphically. +XFMEA and equation~\ref{eqn:anscen} for FMMD reasoning distances and using a logarithmic axis, the reasoning distance +comparison is shown as a graph. %performed graphically. % The gnuplot script used to -produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotxfmeafmmdcomp}. +produce the comparison graph %figure~\ref{fig:xfmeafmmdcomp} +is listed in section~\ref{sec:gnuplotxfmeafmmdcomp}. \begin{figure}[h] \centering @@ -507,14 +508,18 @@ produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotx \label{fig:xfmeafmmdcomp} \end{figure} -Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} it is seen that the reasoning distance +Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} it is seen that acceptable reasoning distances for large numbers of components becomes extremely difficult to achieve for traditional FMEA. % +% +This shows that FMMD, by analysing a system in a modular and hierarchical +way, has reduced the amount of analysis work significantly. +% It can be seen that the reasoning distance has gone from a polynomial to a logarithmic order. % -By applying FMMD large group for analysis has be decimated into -a hierarchy of much smaller groups and applied XFMEA {\em within} these. +%By applying FMMD large group for analysis has be decimated into +%a hierarchy of much smaller groups and applied XFMEA {\em within} these. % In mathematical terms this means the polynomial order has been converted to logarithmic by being able to take exponentiation values out @@ -542,12 +547,13 @@ compared to the DFT algorithm. All the FMMD examples in chapters \ref{sec:chap5} and \ref{sec:chap6} showed a marked reduction in comparison -complexity compared to the {\XFMEA} worst case figures. +complexity compared to {\XFMEA}. % worst case figures. +% To calculate {\XFMEA} comparison complexity equation~\ref{eqn:CC} is used. % % Complexity comparison vs. {\XFMEA} for the first three examples -are presented in table~\ref{tbl:firstcc}. +are presented in the following table~\ref{tbl:firstcc}. % %\usepackage{multirow} \begin{table} @@ -614,27 +620,31 @@ are presented in table~\ref{tbl:firstcc}. \end{table} % end table The complexity comparison figures for the example circuits in chapter~\ref{sec:chap5} show -that for the non trival examples, as +that for the non-trivial examples, as more levels in the FMMD hierarchy are used, the performance -gain over {\XFMEA} becomes apparent. %for increasing complexity the performance benefits from FMMD are apparent. +gain over {\XFMEA} is demonstrated. %becomes apparent. %for increasing complexity the performance benefits from FMMD are apparent. \clearpage -\subsection{Comparison Complexity for the Bubba Oscillator Example.} +\subsection{Comparison Complexity for the Bubba Oscillator Example} +% The Bubba oscillator example (see section~\ref{sec:bubba}) was chosen because it had a circular -signal path. It was also analysed twice, once by +signal path. +% +It was also analysed twice, once by {na\"{\i}vely} using the first {\fgs} identified, and secondly by de-composing the circuit further. % -These two analyses are used to compare the effect on comparison complexity (see table~\ref{tbl:bubbacc}) with that of {\XFMEA}. +These two analyses are used to compare the effect on comparison complexity % REF DOES NOT WORK (see table~\ref{tbl:bubbacc11}) +with that of {\XFMEA}. % \begin{table} - \label{tbl:bubbacc} - - +\label{tbl:bubbacc11} +% \begin{tabular}{ |c|l|l|c| } + \hline \textbf{Hierarchy} & \textbf{Derived} & \textbf{Complexity} & $|fm(c)|$: \textbf{number} \\ \textbf{Level} & \textbf{Component} & \textbf{Comparison} & \textbf{of derived} \\ @@ -691,6 +701,7 @@ These two analyses are used to compare the effect on comparison complexity (see \hline \end{tabular} +%\label{tbl:bubbacc} \caption{Complexity Comparison figures for the Bubba Oscillator FMMD example (see section~\ref{sec:bubba}).} \end{table} % @@ -757,6 +768,8 @@ This is where the modular approach aids understanding and analysis. When following this circuit through in a traditional way, following signal paths that are level shifted, adds to the complication of analysing it for failures. % +That is the signal path crosses from analogue to digital signalling and vice versa. +% % \subsection{Exponential squared to Exponential} % % can I say that ? @@ -857,7 +870,8 @@ formally; % % \begin{equation} - \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} . + % \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} . + \exists f_1,f_2 \in F \; where\; ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} . \end{equation} % % @@ -1218,7 +1232,7 @@ $$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 .$$ % As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double) there is confidence that all `double combinations' of the possible faults -have been checked in the Pt100 circuit. +have been checked in the Pt100 circuit (see section~\ref{sec:Pt100d}). %The next task is to investigate %these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}. @@ -1292,7 +1306,7 @@ that system will not exhibit faulty behaviour. % %We can say that the OK state corresponds to the empty set. % -Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is +Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is: %$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$ $$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$ The failure mode set $F$ for a given component or derived~component $C$ @@ -1344,7 +1358,8 @@ failure modes are unitary state. Suppose that a component that can fail simultaneously with more than one failure mode is included in an analysis. % -This would make it seemingly impossible to model as `unitary state'. +This would make it %seemingly +impossible to model as `unitary state'. % % \paragraph{De-composition of complex component.} @@ -1355,7 +1370,8 @@ The component could be considered a composite of two simpler components, and their interaction modelled to create a derived component (i.e. use FMMD). % -The second way to do this would be to consider the combinations of non-mutually +The second way %to do this +would be to consider the combinations of non-mutually exclusive {\fms} as new {\fms}: this approach is discussed below. \ifthenelse {\boolean{paper}} @@ -1375,8 +1391,8 @@ This technique is outside the scope of this paper. \end{figure} \paragraph{Combinations become new failure modes.} -% FUCK OFF - the combinations +% +The combinations of the non-mutually exclusive failure modes could be considered as new failure modes. % An Euler diagram representation of @@ -1417,8 +1433,8 @@ Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$. \caption{Component with two new failure modes} \label{fig:combco3} \end{figure} - -%OH FUCCCCKKKKKKKKKKKKKKKKK OFFFFFFFFFFFFFFFFFFFFFFFFFFFFF +% +% Consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}). Because of the combinations, the probabilities for the failure modes $B_1, B_2$ and $B_3$ will now reduce. @@ -1454,11 +1470,10 @@ of functional groups. These are: \end{itemize} % If a deliberately `bad' {\fg} were chosen it would be found that, -on analysis, the component failure modes would not aggregate--i.e. be collectable as---common -symptoms. +on analysis, the component failure modes would not aggregate i.e. be collectable as common symptoms. % This would be because, with non-functionally adjacent -components, their failures often cause non-common failure symptoms. % for the {\fg}. +components, their failures will typically cause non-common failure symptoms. % for the {\fg}. % That is a well defined module will typically have a larger number of component failures than failure symptoms. % @@ -1472,15 +1487,16 @@ to warn of potentially poorly chosen {\fgs}. \subsubsection{Side Effects: A Problem for FMMD analysis} \label{sec:sideeffects} -A problem with modularising according to functionality is that it could -have cause failures that would % poss split infinitive +A problem with modularising according to functionality is that %it could +%have cause failures that would % poss split infinitive +components that would intuitively be associated with one {\fg} -that could cause unintended side effects in other +could cause unintended side effects in other {\fgs}. % For instance to have a component that on failing $SHORT$ could bring down a voltage supply rail, could have drastic consequences for other -functional groups in the system. % pissare examining. +functional groups in the system. % \pagebreak[3] \subsubsection{Example de-coupling capacitors in logic circuits} @@ -1498,8 +1514,8 @@ are a potential source of the symptom, $SUPPLY\_SHORT$. In a logic chip/digital circuit {\fg} open capacitors are a potential source of symptoms caused by the failure mode $INTERFERENCE$. % -So a `symptom' of the power-supply, and a `failure~mode' of -the logic chip to consider. +%So a `symptom' of the power-supply, and a `failure~mode' of +%the logic chip to consider. % A possible solution to this is to include the de-coupling capacitors in the power-supply {\fg}. @@ -1507,13 +1523,13 @@ in the power-supply {\fg}. % I think so -Because the capacitor has two potential failure modes (EN298), -this raises another issue for FMMD. +%Because the capacitor has two potential failure modes, OPEN and SHORT, % (EN298), +%this raises another issue for FMMD. % A de-coupling capacitor going $OPEN$ might not be considered relevant to a power-supply module (but there might be additional noise on its output rails). % -But in {\fg} terms, the power supply now has a new symptom that of $INTERFERENCE$. +But in {\fg} terms, the power supply now has a new symptom, that of $INTERFERENCE$. % Some logic chips are more susceptible to $INTERFERENCE$ than others. % @@ -1532,13 +1548,14 @@ This allows for the general principle of a component failure affecting more than % This allows functional groups to share components where necessary. % -This does not break the modularity of the FMMD technique, because, as {\irl}, -one component failure may affect more than one sub-system. +%This does not break the modularity of the FMMD technique, because, as {\irl}, +%one component failure may affect more than one sub-system. % -It does uncover a weakness in the FMMD methodology though. +%It does uncover a weakness in the FMMD methodology though. % -It could be very easy to miss the side effect and include -the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. +With poorly chosen {\fgs} it would be possible to miss side effects in analysis. +%and include +%the component causing the side effect into the wrong {\fg}, or only one germane {\fg}. %\section{Evaluation} diff --git a/submission_thesis/appendixes/detailed_analysis.tex b/submission_thesis/appendixes/detailed_analysis.tex index b14aa01..44371d7 100644 --- a/submission_thesis/appendixes/detailed_analysis.tex +++ b/submission_thesis/appendixes/detailed_analysis.tex @@ -502,7 +502,7 @@ $$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$ \section{Standalone temperature controller} FMMD analysis tables from chapter~\ref{sec:chap6}. - +\label{sec:readPt100} \subsection{Read\_Pt100: Failure Mode Effects Analysis} { \tiny diff --git a/submission_thesis/style.tex b/submission_thesis/style.tex index 6221ebd..1c85932 100644 --- a/submission_thesis/style.tex +++ b/submission_thesis/style.tex @@ -7,7 +7,7 @@ \DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43} %\DeclareMathSymbol{\hh}{\mathbin}{AMSb}{"48} - +\newcommand{\cc}{comparison~complexity} \newcommand{\ft}{\ensuremath{4\!\!\rightarrow\!\!20mA} } \newcommand{\tenfifty}{\ensuremath{10\!\!\rightarrow\!\!50mA} } \usepackage{graphicx}