robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

arrrggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

Browse Source
This commit is contained in:
Robin Clark 2013-09-25 12:12:33 +01:00
parent c8e05cb78f
commit cd0ec8fa69
10 changed files with 262 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
mybib.bib
View File

@ -1136,6 +1136,13 @@ ISSN={0098-5589},}
year = "1994"
}
@MISC{tisallenkey,
author="Texas Instruments",
title = "Analysis of the Sallen Key architecture: Application report",
howpublished = "Available from http://www.ti.com/lit/an/sloa024b/sloa024b.pdf",
year="2002"
}
@MISC{challenger,
author = "U.S. Presidential Commission",
title = "Report of the SpaceShuttle Challanger Accident",

22
submission_thesis/CH2_FMEA/copy.tex
View File

@ -72,7 +72,7 @@ and in a given environment. An `O' ring for instance can fail by leaking
but if fitted to a water seal on a garden hose, the system level failure %is a
would be a slight leak at the tap. % outside the house.
%
Applied to the rocket engine on a space shuttle that same 'O' ring failure mode
Applied to the rocket engine on a space shuttle an 'O' ring failure
could cause a catastrophic fire and destruction of the spacecraft and occupants~\cite{challenger}.
%
At a lower level, consider a resistor and capacitor forming a potential divider to ground.
@ -113,7 +113,7 @@ is shown in figure~\ref{fig:component_fm_rel}.
The next stage is analysis, that is reasoning applied to the system in the event of
a given failure mode.
%
To perform how a failure
To analyse how a failure
mode, after considering its effect on other components in the system,
will translate to a system level symptom/failure.
%
@ -251,7 +251,7 @@ their relationship to particular standards is presented below.
Two common electrical components are used as examples,
and examined against two sources of {\fm} information. % define their failure mode behaviour.
%
These definitions for a given generic component may not always agree.
Failure mode definitions for a given generic component may not always agree.
%
The reasons why, some {\fms}
can be found in one source, but not in the others and vice versa, are discussed.
@ -429,9 +429,9 @@ investigations.
\fmmdglossOPAMP
The symptom for this is given as a low slew rate.
%
Slew rate for a circuit/component is the rate at which it changes an output voltage level (i.e. $\frac{\delta V}{\delta t} $).
Slew rate for a circuit/component is the maximum rate at which it can change an output voltage level (i.e. $\frac{\delta V}{\delta t} $).
%
This means that the op-amp will not react quickly to changes on its input terminals.
A low slew rate will mean that the op-amp will not react quickly to changes on its input terminals.
%
%
This is a failure symptom that may not be of concern in a slow responding system like an
@ -441,7 +441,7 @@ This failure cause can be mapped to a symptomatic {\fm} called $LOW\_SLEW$.
\paragraph{No Operation - over stress.}
Here the OP-Amp has been damaged, and the output may be held HIGH or LOW, or may be
effectively tri-stated, i.e. not able to drive circuitry in along the next stages of
effectively tri-stated, i.e. not able to drive circuitry along the next stages of
the signal path: this {\fm} is termed NOOP (no Operation).
%
This failure cause thus maps to three {\fms}, $LOW$, $HIGH$, $NOOP$.
@ -494,7 +494,7 @@ $LOW\_SLEW$.
\caption{LM358: EN298 Open and shorted pin failure symptom determination technique}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\
\textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\
\textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{FMEA component} \\
\textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
\hline
@ -734,7 +734,8 @@ the circuit behaviour is measured in finer granularity,
%
With this style of fault finding, because it is based on experiment,
hopping from module to module eliminating working ones, until
failure is found~\cite{maikowski}, is effective.
failure is found~\cite{maikowski}, it is efficient in terms of
concentrating effort.
%
The rationale and work-culture of those tasked to
perform FMEA are generally personnel who have performed fault finding~\cite{cbds}[p.97].
@ -812,7 +813,7 @@ From a large system perspective, it may be found that {\bc} {\fms}
may have more than one possible system event associated with them.
%
Often there will be a clear one to one mapping, but
probabilities to failure (as used in FMECA)
probabilities to failure (as used in FMECA, see section~\ref{sec:FMECA})
could mean one ({\fm}) too many (system level symptoms). % mapping.
%
\paragraph{Use of Markov chains to model failure modes.}
@ -1094,7 +1095,7 @@ Where $RD_{double}$ is the reasoning~distance for double failure scenarios:
\end{equation}
%
For a theoretical system with 100 components and a fixed 3 failure modes each, this gives reasoning distance of
$100*99*98*3=2,910,600$. % failure mode scenarios.
$100 \times 99 \times 98 \times 3 = 2,910,600$. % failure mode scenarios.
%
In practise there is an additional complication here, that of
the circuit topology changes that {\fms} can cause.
@ -1178,6 +1179,7 @@ An example PFMEA report is presented in table~\ref{tbl:pfmeareport}.
\section{FMECA - Failure Modes Effects and Criticality Analysis}
\fmmdglossFMECA
\label{sec:FMECA}
\paragraph{ FMECA - Failure Modes Effects and Criticality Analysis.}
% \begin{figure}
% \centering

36
submission_thesis/CH3_FMEA_criticism/copy.tex
View File

@ -91,7 +91,7 @@ This means that the reasoning involved in determining the system level failure/s
Ideally supporting documentation would give the reasoning and calculations behind each analysis case,
but the structure of current FMEA reports does not encourage this.
%
\paragraph{Re-use of FMEA analysis}
\paragraph{Re-use of FMEA analysis.}
%
Given the {\bc} {\fm} to system level failure mode paradigm it is
difficult to re-use FMEA analysis.
@ -207,8 +207,8 @@ A small group of components performing a well defined function
is termed a `{\fg}'.
%
Potentially, using {\fgs}, is a way of de-composing
the problem and reducing the $O(N^2)$ state explosion effect
associated with XFMEA.
the problem and reducing the $O(N^2)$---see equation~\ref{eqn:fmea_single}---state explosion effect associated with XFMEA.
%
\fmmdglossSTATEEX
%
That is if the analysis problem can be broken into smaller steps, involving
@ -234,11 +234,12 @@ It is therefore desirable to reduce this order further.
\section{Software and FMEA}
Traditional FMEA deals only with electrical and mechanical components, i.e. it does not have provision for software.
%
Modern control systems nearly always have a significant software/firmware element,
and not being able to model software with current FMEA methodologies
is a cause for criticism~\cite{safeware}[Ch.12].
%
Some techniques apply blanket estimates for a given software implementation, based
Some techniques apply blanket estimates for a given software implementation~\cite{safeware}[pp.156-9], based
on the verification techniques applied in its testing,
to aid calculation of system level reliability statistics~\cite{5492693}.
%Even the traditionally conservative nuclear industry is now
@ -339,24 +340,29 @@ a master controller.
%
Most modern cars follow this information technology pattern and use CANbus~\cite{canspec,can}.
%
For instance, in a modern car there will be no mechanical linkage from the pedal to the engine, instead the throttle pedal
will be linked to a sensor to determine how
far the pedal is pressed.
For instance, in a modern car there will be no mechanical linkage from the throttle pedal to the engine, instead the pedal
will be linked to a sensor to determine how far down it is pressed.
%
This sensor will be read by a micro-controller, and passed, via CANbus, to the Engine Control Unit (ECU)
This sensor will be read by a micro-controller, and values passed via CANbus, to the Engine Control Unit (ECU)
which will use that information (along with information from other sensors) to adjust the power required from the engine.
%
This adjustment could be direct, or could be another CANbus message passed to a micro-controller regulating engine function.
%
In terms of FMEA, see figure~\ref{fig:distcon}, our reasoning path spans (at least) four interface layers of electronics to software.
%
Traditional FMEA does not cater for the software hardware interface, and this leads to the additional complications
%with the additional complications
of the communications protocol used to transmit data and the failure mode characteristics
of the communications physical layer.
Traditional FMEA does not cater for the software hardware interface and using
a distributed system means the signal path will
cross several hardware/software interfaces\footnote{The complications of introducing a
communications protocol and the failure mode characteristics of the communications
physical~layer must also be considered in a distributed system.}.
%of the communications physical layer..
%
This means the signal path will
cross several hardware/software interfaces.
%, and this leads on to the additional complications
%with the additional complications
%of the communications protocol used to transmit data and the failure mode characteristics
%of the communications physical layer.
%
%
\fmmdglossSIGPATH
%(figure~\ref{fig:distcon}
@ -402,7 +408,7 @@ A summary of deficiencies in current FMEA methodologies is listed below:
Traditional forms of FMEA are no longer % fit for purpose!
of meaningful use for complex modern systems especially those incorporating programmatic elements.
They were designed to analyse simple electro-mechanical systems
and even common place large analogue circuits (that are usually physically small), are
and even common place high component count analogue circuits (that are usually surface mount and therefore physically small), are
getting too complicated for meaningful analysis using FMEA.
%
%

24
submission_thesis/CH4_FMMD/copy.tex
View File

@ -98,7 +98,7 @@ at the top of the hierarchy.
The failure modes of the final or top {\dc}
are the failure modes of the system under investigation.
%
That is, the traditional FMEA process has be taken and modularised from the bottom-up.
That is, the traditional FMEA process has been taken and modularised from the bottom-up.
%piss break down each stage of reasoning
%into small manageable groups, and use the failure mode behaviour from them to create {\dcs}
%to build higher level groups.
@ -107,8 +107,8 @@ In this way FMEA is applied incrementally to an entire system. %, with document
\fmmdgloss
%
This has advantages of concentrating
effort in where modules interact (interfaces), of
being able to re-use work and savings in the complexity of performing
effort where modules interact (interfaces),
of being able to re-use work and savings in the complexity of performing
FMEA (because the analysis is typically performed in several small stages
thus avoiding state explosion).
%A notation is then described to index and classify objects created in FMMD hierarchical models.
@ -117,10 +117,8 @@ thus avoiding state explosion).
\section{Worked Example: Non-Inverting Amplifier}
\label{sec:noninvamp}
%% here bring in sys safety paper from 2011
%%
%% GARK BEGIN
%
%
The principles of FMMD are demonstrated, by using it to analyse a
common circuit, the non-inverting amplifier built from an op amp~\cite{aoe}[p.234] and
two resistors; a circuit schematic for this is shown in figure \ref{fig:noninvamp}.
@ -960,11 +958,11 @@ starting where possible with known base~component failure~modes.
%
%
An advantage of working from the bottom up is that it can be ensured that
all component failure modes must be considered.
all component failure modes have been considered.
%
A top down approach (such as FTA)
can miss~\cite{faa}[Ch.~9] individual failure modes of components,
especially where there are non-obvious top-level faults.
especially where there are non-obvious or unexpected top-level failures.
%
\fmmdglossFTA
%
@ -979,7 +977,7 @@ and collecting symptoms of failure, is termed `symptom abstraction'.
%
\fmmdglossSA
%
This is dealt with in detail using an algorithmic description, in appendix \ref{sec:algorithmfmmd}.
This is examined using an algorithmic description, in appendix \ref{sec:algorithmfmmd}.
\fmmdglossFG
\fmmdglossDC
% % define difference between a \fg and a \dc
@ -1025,7 +1023,7 @@ A {\fg} will only be associated with one {\dc} and is given a one to one relatio
%
Each {\fg} will have one analysis report associated with it.
%
The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one to one relationship with a derived~component.
The UML representation is shown in figure \ref{fig:cfg}. %) shows a `{\fg}' having a one to one relationship with a derived~component.
%
%
%%% FORMAL DEF SLIGHTLY OUT OF PLACE HERE ---- J.HOWSE
@ -1128,7 +1126,7 @@ Also a detailed cause and effect model is useful for creating diagnostic schema
\paragraph{Keeping track of the derived components position in the hierarchy}
\paragraph{Keeping track of the derived components position in the hierarchy.}
\label{sec:alpha}
The UML meta model in figure \ref{fig:cfg}, shows the relationships
between the entities used in FMMD.
@ -1146,7 +1144,7 @@ derivation %`$\derivec$'
have led to the current derived component)
we can add an attribute to the component data type.
%
This can be a natural number called the level variable $\abslev \in \mathbb{N}$.
This can be a natural number called the level variable $\abslev \in \mathbb{N}_{0}$.
% J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$.
The $\abslev$ level variable in each component,
indicates the position in the hierarchy. Base components

200
submission_thesis/CH5_Examples/copy.tex
View File

@ -91,6 +91,7 @@ and then combining it with the OPAMP failure mode model.
The second is to place all three components in one {\fg}.
Both approaches are followed in the next two sub-sections.
%
\clearpage
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
%
Ideally the {\dcs} from the $PD$ from section~\ref{subsec:potdiv} would be re-used; on initial inspection it %at first glance,
@ -205,7 +206,7 @@ by forming a {\fg} with the OpAmp and the new {\dc} $IPD$.
\end{table}
%
%
\clearpage
%\clearpage
%%This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
%
%
@ -345,6 +346,7 @@ This concern is re-visited in the differencing amplifier example in the next sec
% maybe do an ac amplifier later at some stage.
%
\begin{table}[h+]
\centering
\caption{Inverting Amplifier: Single failure analysis: 3 components}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
@ -635,7 +637,7 @@ for the second stage
\end{figure}
\paragraph{First Order Low Pass Filter.}
\subsection{First Order Low Pass Filter}
\label{sec:lp}
% WEEEE ECUNT
Starting with the first order low pass filter formed by $R10$ and $C10$.
@ -691,7 +693,7 @@ called $FirstOrderLP$.
%
Applying the $fm$ function yields: $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
%
\paragraph{Addition of Buffer Amplifier: First stage.}
\subsection{Addition of Buffer Amplifier: First stage}
%
The op-amp IC1 is being used simply as a buffer.
\fmmdglossOPAMP
@ -744,7 +746,7 @@ In terms of the circuit, the {\fgs} $FirstOrderLP$, and
$LP1$ have been modelled.
%
These can be represented on the circuit diagram by drawing contours around the components
on the schematic as in figure~\ref{fig:circuit2002_LP1}.
on the schematic in figure~\ref{fig:circuit2002_LP1}.
\begin{figure}[h]
\centering
@ -756,8 +758,12 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\end{figure}
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
\subsection{Second order Sallen Key Low Pass Filter}
%
The next two filters in the signal path are the component groups R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
%
These are Sallen Key low pass filters~\cite{tisallenkey}.
%
From a failure mode perspective these are identical.
%
The first one can be analysed (see table~\ref{tbl:sallenkeylp}) and then these
@ -801,7 +807,7 @@ A derived component is created to represent the Sallen Key low pass filter, call
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal . \} $$
%
%
\paragraph{A failure mode model of Op-Amp Circuit 2.}
\subsection{A failure mode model of Op-Amp Circuit 2}
%
A {\dcs} representing the three stages of this filter is created following
the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
@ -895,6 +901,7 @@ The FMMD hierarchy is shown in figure~\ref{fig:circuit2h}.
\label{tbl:fivepole}
\end{table}
%
\clearpage
%
A {\dc} is created to represent the circuit in figure~\ref{fig:circuit2}, called
$FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole})
@ -917,10 +924,14 @@ It is not surprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ is not detectable.
%
%\clearpage
\subsection{Conclusion}
This example shows the analysis of a linear signal path circuit with three easily identifiable
{\fgs} and re-use of the Sallen-Key {\dc}.
%
%
%
%
\clearpage
%
\section{Quad Op-Amp Oscillator}
@ -1042,7 +1053,7 @@ the {\fg} for this analysis can be expressed thus:
%
%$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$
$$ G = \{ PHS45_1, NIBUFF_1, PHS45_2, NIBUFF_2, PHS45_3, NIBUFF_3, PHS45_4, INVAMP \} ,$$
or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
or in Euler diagram format in figure~\ref{fig:bubbaeuler1}.
% HTR 23SEP2012 \begin{figure}[h+]
% HTR 23SEP2012 \centering
% HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
@ -1114,7 +1125,7 @@ It should be possible to determine smaller {\fgs} and refine the model further.
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.}
%
The pre-analysed $NIBUFF$ and $PHS45$
{\dcs} are used to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dcs} are used to form a {\fg}, analysed in appendix~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$.
%
%Thus,
@ -1129,7 +1140,7 @@ Together these apply a $135^{\circ}$ phase shift to the signal.
This property is used to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter.
%
The three $BUFF45$ {\dcs} form a
{\fg} which is analysed in table~\ref{tbl:phs135buffered}.
{\fg} which is analysed in appendix~\ref{tbl:phs135buffered}.
%
The result of this analysis is the {\dc}
$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter.
@ -1140,7 +1151,7 @@ $PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shift
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg}
providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp}
providing an amplified $225^{\circ}$ phase shift, analysed in appendix~\ref{tbl:phs225amp}
resulting in the {\dc} $PHS225AMP$.
%
Applying FMMD the {\dc} $PHS225AMP$ is created with the following failure modes:
@ -1198,7 +1209,8 @@ $$
% This has meant a drastic reduction in the number of failure-modes to check against components.
%It has %also
This more decomposed approach has
given us five {\dcs}, building blocks, which could %
given us five {\dcs}, %building blocks,
which could %
potentially be re-used in other projects.
%potentially be re-used for similar circuitry
%to analyse in the future.
@ -1291,7 +1303,9 @@ and fed to the D type flip flop.
%
%
The output of the flip flop is routed to the digital output and to the feedback loop.
It must be level converted, i.e. from digital logic voltage levels to analogue levels, before being fed to the analogue feedback.
%
It must be level converted, i.e. from digital logic voltage levels to analogue levels, before being fed to the analogue feedback/integrator.
%
It is level converted to an analogue signal by IC3---i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage---
and fed into the summing integrator completing the negative feedback loop.
%
@ -1333,7 +1347,7 @@ A CLOCK signal is required for the \sd.
%
For the purpose of example
one failure mode is assigned to this, that it might stop.
The failure modes of the CLOCK, is stated thus:
The failure mode of the CLOCK, is stated thus:
%
$$ fm ( CLOCK ) = \{ STOPPED \}. $$
@ -1536,7 +1550,7 @@ $$ FG = \{ FFB , BISJ \} .$$
The buffered {\sd} circuit is analysed using FMMD (see appendix~\ref{detail:SDADC}) giving
a {\dc} $SDADC$ which provides a failure mode model for the \sd:
$$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\} . $$
$$fm(SDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\} . $$
The {\dc} hierarchy is shown in figure~\ref{fig:eulersdfinal}.
%
\begin{figure}[h]
@ -1581,7 +1595,7 @@ This
leads onto interfacing to software and digital~systems in the next chapter.
%
%
%\clearpage
\clearpage
\section{Pt100 Analysis: FMMD and Double Failure Mode Analysis}
\label{sec:Pt100}
{
@ -1611,38 +1625,13 @@ It is analysed for both single and double failures,
in addition it demonstrates FMMD coping with component parameter tolerances.
%
The circuit is described from a conventional safety perspective and then analysed using the FMMD methodology.
%A derived component, representing this circuit is then presented.
%
%A derived component, representing this circuit is then present
The Pt100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
%
%This section looks at the most common configuration, the
%four wire circuit, and analyses it from an FMEA perspective twice.
%FMMD is performed twice on this circuit
%firstly considering single faults only
%(cardinality constrained powerset of 1)
%and secondly, considering the
%possibility of double faults. % (cardinality constrained powerset of 2).
%
% \ifthenelse {\boolean{pld}}
% {
% The section is performed using Propositional Logic
% diagrams to assist the reasoning process.
% }
% {
% }
%
% This chapter describes taking
% the failure modes of the components, analysing the circuit using FMEA
% and producing a failure mode model for the circuit as a whole.
% Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
% from an FMEA perspective as a component itself, with a set of known failure modes.
% }
%
\begin{figure}[h]
\centering
@ -1662,9 +1651,9 @@ By measuring voltages
from sections of this circuit forming potential dividers, the
resistance of the platinum wire sensor can be determined.
%
The resistance
of this is directly related to temperature, and may be determined by
look-up tables~\cite{eurothermtables} or a suitable polynomial expression.
%The resistance
%of this is directly related to temperature, and may be determined by
%look-up tables~\cite{eurothermtables} or a suitable polynomial expression.
%
%
\begin{figure}[h]
@ -1677,7 +1666,7 @@ look-up tables~\cite{eurothermtables} or a suitable polynomial expression.
%
%
The voltage ranges expected from this three stage potential divider\footnote{Two stages are required
for validation, a third stage is used to measure the current flowing
for validation, a third stage is necessary to measure the current flowing
through the circuit to obtain accurate temperature readings.}
are shown in figure \ref{fig:Pt100vrange}.
%
@ -1691,8 +1680,8 @@ and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables.}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables.
%For electronic and accuracy reasons, a four wire circuit is preferred
%because of resistance in the cables.
%
Resistance from the supply
causes a slight voltage
@ -1713,8 +1702,8 @@ through the circuit
and knowing the voltage drop over the $Pt100$, its
resistance is calculated by Ohms law $V=I.R$, $R=\frac{V}{I}$.
%
Thus a little loss of supply voltage due to resistance in the cables
does not impinge on accuracy.
%Thus a little loss of supply voltage due to resistance in the cables
%does not impinge on accuracy.
%
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
@ -1785,11 +1774,11 @@ in the diagram, it will be considered a fault.
Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.
%
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
Table~\ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
%
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section~\ref{sec:ptbounds}.
The temperature range {0\oc} to {300\oc} will be used to determine potential divider voltage outputs (see section~\ref{sec:ptbounds}),
and these used to validate the FMEA in table~\ref{ptfmea}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
@ -1817,15 +1806,15 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
%
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.
%Temperature range calculations and detailed calculations
%on the effects of each test case are found in section \ref{Pt100range}
%and \ref{Pt100temp}.
\paragraph{Consideration of Resistor Tolerance}
\label{sec:resistortolerance}
%
The separate sense lines ensure the voltage read over the Pt100 thermistor are not
altered due to having to pass any significant current.
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%
@ -1833,27 +1822,30 @@ One or other of the load resistors (the one that current is measured over) shoul
be of this accuracy.
The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-efficient
(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
a narrow temperature range anyway, being mounted on a PCB.
(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and typically be subjected to
a narrow temperature range, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
having the voltage over it, the current flowing through it must be measured.
the voltage over it is read
and with the current flowing through it, its resistance can be found.
%must be measured.
%
For the sake of example, let be used $R_2$ to measure the current flowing in the temperature sensor loop.
Let $R_2$ be used to measure the current flowing in the temperature sensor loop.
%
%As the voltage over the Pt100 element $R_3$ is relative to % (a design feature to eliminate resistance effects of the cables),
%the current, can be calculated by reading
%the voltage over the known resistor
%$R_2$.
%
As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables),
the current can be calculated by reading
the voltage over the known resistor
$R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
This can be determined via Ohms law applied to $R_2$, $V=I R_2$, $I=\frac{V}{R_2}$,
and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.}
As these calculations are performed by Ohms law, which is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$.
will be determined by the accuracy of $R_2$ and $R_{3}$\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
This can be determined via Ohms law applied to $R_2$, $V=I R_2$, $I=\frac{V}{R_2}$,
and then using $I$, $R_{3} = \frac{V_{R3}}{I}$.}.
%It is reasonable to
%take the mean square error of these accuracy figures.
\paragraph{Range and $Pt100$ Calculations}
\paragraph{Range and $Pt100$ Calculations.}
\label{Pt100temp}
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
@ -1875,8 +1867,8 @@ As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings are calculated thus:
%
%
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} ,$$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} .$$
%
So by defining an acceptable measurement/temperature range,
and ensuring the
@ -1888,9 +1880,9 @@ resistors in this circuit have failed.
%
To convert these to twelve bit ADC (\adctw) counts:
%
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} , $$
%
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} . $$
%
%
\begin{table}[ht]
@ -1955,7 +1947,7 @@ will detect it.
%
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}
\paragraph{Single Fault Modes as PLD.}
%
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
@ -1983,7 +1975,7 @@ for the circuit shown in figure \ref{fig:vd}.
%
%
%
\paragraph{Proof of Out of Range Values for Failures}
\paragraph{Proof of Out of Range Values for Failures.}
\label{pt110range}
%
Using the temperature ranges defined above the voltages can be compared;
@ -1996,11 +1988,11 @@ There are six test cases and each will be examined in turn.
With Pt100 at 0\oc:
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
both temperature readings will be 5V,
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V .$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
$$ highreading = 5V ,$$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V .$$
%
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
@ -2015,12 +2007,12 @@ proscribed range in table \ref{ptbounds}.
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
%
With Pt100 at 0\oc:
$$ lowreading = 0V $$
$$ lowreading = 0V .$$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
both temperature readings will be 0V,
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V .$$
With Pt100 at the high end of the temperature range 300\oc ,
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V .$$
%
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
@ -2036,12 +2028,15 @@ Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
%
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
Because the readings here depend on the values of resistors $R_1$ and $R_2$
resistor tolerance must be considered.
%
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
Assuming the load resistors are fairly typical in terms of precision
precision, taking an absolute worst case of 1\% either way:
%
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V ,$$
%
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V .$$
%
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
@ -2080,7 +2075,12 @@ resistors in this circuit have failed.
%
\subsection{Derived Component with one failure mode.}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The detectability of a
{\textbf OUT\_OF\_RANGE} i.e.:
$$ fm(Pt100) = \{ {OUT\_OF\_RANGE} \} . $$
This is a single, detectable failure mode. The detectability of a
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
@ -2145,7 +2145,7 @@ faults as FMMD test cases.
TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline
TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & Floating & low & Sense- out of range \\ \hline
TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline
\hline
@ -2194,8 +2194,8 @@ Thus both values will be out of range.
%
\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN.}
%
Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.
Sense+ will be floating.
Sense- will be tied to ground and will thus be out of range.
%
\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT.}
%
@ -2242,8 +2242,8 @@ Both values will be out of range.
%
\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN.}
%
This shorts the sense- to ground.
The sense- value will be out of range.
This shorts the sense- to ground, and sense+ to Vcc.
Both values will be out of range.
%
%
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT.}
@ -2281,7 +2281,7 @@ not that all for a given cardinality constraint have been included.
{
}
%
\paragraph{Symptom Extraction}
\paragraph{Symptom Extraction, forming a {\dc}.}
%
The results of the test case analysis can now be examined and symptom abstraction applied.
%
@ -2312,10 +2312,12 @@ in figure \ref{fig:Pt100_doublef}.
}
%
%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
%\subsection{Derived Component : The Pt100 Circuit for double failures}
\label{sec:Pt100floating}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes,
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}.
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}, i.e.
$$ fm(Pt100) = \{ {OUT\_OF\_RANGE}, {FLOATING} \} . $$
%
\ifthenelse{\boolean{pld}}
{

BIN
submission_thesis/CH5_Examples/sigma_delta_block.dia
View File

Binary file not shown.

70
submission_thesis/CH6_Software_Examples/software.tex
View File

@ -46,7 +46,7 @@ That is to say, using FMMD, software functions are treated like {\fgs} of elect
As software already fits into a hierarchy, there one less analysis decision to make when compared
to analysing electronics.
%
For electrical and mechanical systems, original designers
For electrical and mechanical systems, although the original system designers
concepts of modularity and sub-systems in design may provide guidance,
applying FMMD means deciding on the members for {\fgs}
and the subsequent hierarchy.
@ -56,7 +56,7 @@ With software already written, the hierarchies are given.
To apply FMMD to software, the elements used by a software function are collected, along with the function itself
to form a {\fg}.
%
When the failure mode behaviour of this {\fg} has been analysed and its failure mode symptoms collected, a {\dc} can be created.
When the failure mode behaviour of this software {\fg} has been analysed and its failure mode symptoms collected, a {\dc} can be created.
%
That {\dc} can be
used by functions that call the function just analysed.
@ -255,18 +255,19 @@ value from the external equipment is read.
Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$)
representing the current detected; plus an additional error indication flag.
%
Let us assume the {\ft} detection is via a \ohms{220} resistor, and that a voltage is read
From figure~\ref{fig:ftcontext} the {\ft} detection is via a \ohms{220} resistor and the a voltage is read
from an ADC into the software.
%
Any value outside the 4mA to 20mA range can be defined as an error condition.
Because the signal is {\ft}
any value outside the 4mA to 20mA range can be defined as an error condition.
%
As voltage (rather than current) is read by an ADC, Ohms law~\cite{aoe} is used to
determine the mA current detected: $V=IR$, $0.004A \times \ohms{220} = 0.88V$
and $0.020A \times \ohms{220} = 4.4V$.
%
The acceptable voltage range\footnote{For the purpose of clarity we are ignoring resistor tolerance
for this example. In a practical {\ft} reader we would factor in resistor tolerance to the limits, or
allow `deadbands' of $\approx \half mA$ at either end of the range.}
The acceptable voltage range\footnote{For the purpose of clarity resistor tolerance has been ignored.
In a practical {\ft} reader resistor tolerance would be factored into the limits, or
`deadbands' of $\approx \half mA$ at either end of the range would be implemented.}
is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
@ -462,8 +463,8 @@ With these failure modes defined, analysis can begin on the {\fg} $G_1$, see tab
\label{tbl:cmatv}
\begin{tabular}{|| l | c | l ||} \hline \hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\
\textbf{cause} & \textbf{Effect} & \textbf{ } \\
\hline \hline
1: $R_{OPEN}$ & resistor open, & $HIGH$ \\
& voltage on pin high & \\ \hline
@ -514,7 +515,7 @@ the function must be sent the correct channel number.
%
\fmmdglossCONTRACTPROG
%
A violation of this can be considered a {\fm} of the function,
A violation of this can be considered a {\fm} for the function,
which is termed $ CHAN\_NO $.
%
The reference voltage for the ADC has a 0.1\% accuracy requirement.
@ -543,8 +544,8 @@ This analysis is performed in table~\ref{tbl:radc}. %{ hardware/software combine
\caption{{\fg} $G_2$: Failure Mode Effects Analysis} % title of Table
\label{tbl:radc}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\
\textbf{cause} & \textbf{Effect} & \textbf{} \\
\hline
1: ${CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\
& read & \\ \hline
@ -701,7 +702,7 @@ With this analysis
a complete `reasoning~path' linking the failures modes from the
electronics to those in the software has been created.
%
Each functional group to {\dc} transition represents a
Each {\fg} to {\dc} transition represents a
reasoning stage\footnote{Each of these reasoning stages, will have a reasoning distance
associated with it, and because {\fgs} are generally small %we can apply XFMEA
XFMEA can be applied
@ -828,32 +829,33 @@ variable power output~\cite{aoe}[p.360]).
%
PWM's ADC's and MUX's are commonly built into cheap micro-controllers~\cite{pic18f2523}[Ch.15].
%
The Yourdon diagram is refined, by adding detail to both the afferent data flow coming through the MUX and ADC on the micro-controller and the efferent
channelled through a PWM module. %again built into the micro-controller,
%
%and add more detail, see figure~\ref{fig:context_diagram2_PID}.
\begin{figure}[h]+
\centering
\includegraphics[width=400pt]{./CH5_Examples/context_diagram2_PID.png}
% context_diagram_PID.png: 818x324 pixel, 72dpi, 28.86x11.43 cm, bb=0 0 818 324
\caption{Yourdon Context Diagram for PID Temperature Controller.}
\caption{Yourdon data flow diagram for PID Temperature Controller identifying initial processing nodes.}
\label{fig:context_diagram2_PID}
\end{figure}
%
\clearpage
%
The Yourdon methodology provides model refinement, by zooming into data transform bubbles, analysing them in more
depth and creating more paths and transform bubbles which further define the data flow and processing. % required.
%
The Yourdon diagram is refined, by adding detail to both the afferent data flow coming through the MUX and ADC on the micro-controller and the efferent
channelled through a PWM module. %again built into the micro-controller,
%
This next stage of model refinement is shown in figure~\ref{fig:context_diagram2_PID}.
%
The controlling software is defined, by looking at or zooming into transform bubbles
and refining them by adding detail.
%
Following the data streams through the process, additional transform bubbles are created as required.
The controlling software is then further refined, by looking at or zooming into transform bubbles
and adding more detail i.e. following the data streams through the process, additional transform bubbles are created as required.
%
The lines connecting the `transform~bubbles' define the data passed between them.
%
When the data transform analysis is finished, each transform bubble represents a software function.
When the data flow analysis is finished, each transform bubble represents a software function.
%
Because the connecting lines define the data passed between transform bubbles,
the inputs and outputs of the associated software functions are also defined.
@ -885,7 +887,7 @@ functions should be called to control the process, or in `C' terms be the main f
\centering
\includegraphics[width=400pt]{./CH5_Examples/context_software.png}
% context_software.png: 1023x500 pixel, 72dpi, 36.09x17.64 cm, bb=0 0 1023 500
\caption{Context diagram of the software in the PID temperature controller}
\caption{Final Yourdon data flow diagram which has defined the software functions for the PID temperature controller}
\label{fig:contextsoftware}
\end{figure}
%
@ -904,7 +906,7 @@ this is clearly going to be the monitor function.
\centering
\includegraphics[width=300pt]{./CH5_Examples/context_calltree.png}
% context_calltree.png: 800x783 pixel, 72dpi, 28.22x27.62 cm, bb=0 0 800 783
\caption{Software yourdon diagram converted to programatic call tree.}
\caption{Software: Yourdon data flow diagram converted to programatic call tree.}
\label{fig:context_calltree}
\end{figure}
%
@ -1025,8 +1027,9 @@ Identified Software Components:
%
%
With the call tree structure defined (see figure~\ref{fig:context_calltree}),
hierarchy compatible with FMMD for analysis is obtained.
However, it is only the top, the software, part of the hierarchy.
a hierarchy compatible with FMMD for analysis has been obtained.
%
However, it is only the top, i.e. the software, part of the hierarchy.
%
FMMD is a bottom-up process thus start at the lowest level, i.e. the electronics.
%
@ -1044,10 +1047,11 @@ Staring with the afferent data flow for the temperature readings, the lowest
level in the hierarchy is found, the Pt100 sensor.
%with the software, and consider the hardware elements
%used (if any) by each software function.
Starting at the bottom, a {\fg} is formed with
%Starting
Beginning at the bottom, a {\fg} is formed with
the function \cf{read\_ADC} and the Pt100.
This gives a {\dc}, %which we call
`Read\_Pt100'.
`Read\_Pt100' (see appendix~\ref{sec:readPt100}).
%
%
%
@ -1103,7 +1107,7 @@ Following the afferent flow further, the function to determine the control error
%
This is simply the target temperature subtracted from that measured by the sensor.
%
A {\fg} is formed with our newly {\dc} Get\_Temperature
A {\fg} is formed with the newly {\dc} Get\_Temperature
and the function \cf{determine\_set\_point\_error}.
%
The pre-condition for \cf{determine\_set\_point\_error} is that the temperature read by it
@ -1161,7 +1165,7 @@ it is the calling function that sets the context for the \cf{PID} function (i.e
%
%
%
The {\dc} PID is created, with the following failure modes:
The {\dc} PID is created, see table~\ref{tbl:pidfunction}, with the following failure modes:
%
$$ fm(PID) = \{ KnownControlValueErrorV, IncorrectControlErrorV \} .$$
%
@ -1203,7 +1207,7 @@ to implement the power output demand.
%
%
%
A {\dc} is created called HeaterOutput
A {\dc} is created called HeaterOutput, see table~\ref{tbl:heateroutput},
with the following failure modes:
$$fm(HeaterOutput) = \{ HeaterOnFull, HeaterOff, HeaterOutputIncorrect \} .$$
%
@ -1322,7 +1326,7 @@ The PID temperature control example above, shows that complete hybrid software/e
modelled using FMMD.
%
The analysis has revealed system level failure modes that are un-handled and some that are undetectable.
The FMMD model can be traversed from undesirable top level failures to the {\bc} {\fms} that are the cause.
The FMMD model can be traversed from undesirable top level failures to the {\bc} {\fms} that are the causes.
\fmmdglossOBS
%
This means that by using FMMD, the sub-systems which require
@ -1333,7 +1337,7 @@ SIL levels, make this a desirable feature of any FMEA based methodology.
%
For the failure modes caused
by electronics, reliability statistics can be applied, and the possibilities of using higher rated
components instead of expensive re-design can be simulated/modelled.
components instead of potentially expensive re-design can be simulated/modelled.
%
For software errors, it may be necessary to provide extra functions to provide self checking.
%

121
submission_thesis/CH7_Evaluation/copy.tex
View File

@ -19,7 +19,7 @@ complexity of applying FMEA to a group of components.
These formulae are then used for a hypothetical example, which is analysed by both FMEA and FMMD.
%
%After analysing hypothetical examples, the
The hypothetical example gives a general formula, which shows that the reasoning distance
The hypothetical example leads to a general formula, which shows that the reasoning distance
goes from a polynomial to a logarithmic order comparing XFMEA with FMMD.
%
%This means that for
@ -146,7 +146,7 @@ Using the language developed in the previous chapters,
a system for analysis is considered as a collection %{\fg}
of components.
%
This is a set of components as $G$, and the number of components in it
This is a set of components $G$, and the number of components in it
$ | G | $. %,
%(an indexing and sub-scripting notation to identify particular {\fgs}
%within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
@ -171,7 +171,7 @@ The number of potential failure modes of a component, $c$, is $ | fm(c) | .$
Indexing the components in the system under investigation $ c_1, c_2 \ldots c_{|G|} $ allows expression of
the number of checks required to exhaustively % rigorously
examine every
failure mode against all the other components in a system in equation~\ref{eqn:CC}.
failure mode against all the other components in a system (see equation~\ref{eqn:CC}).
%
Comparison Complexity can be represented by a function $CC$, with its domain as $G$, and
its range as the number of checks---or reasoning stages---to perform to satisfy an XFMEA inspection.
@ -252,7 +252,7 @@ The {\fg} with the potential divider and the operational amplifier has an $\alph
% \end{equation}
An FMMD hierarchy will have reducing numbers of {\fgs} the hierarchy is traversed upwards.
An FMMD hierarchy will have reducing numbers of {\fgs} as the hierarchy is traversed upwards.
%
In order to calculate its comparison~complexity, equation~\ref{eqn:CC} must be applied to
all {\fgs} on each level.
@ -309,9 +309,9 @@ i.e. a {\fg} with two components, one with four failure modes and the other (th
$$CC(invamp) = 2 \times 1 + 4 \times 1 = 6 . $$
%
The two calculated complexities are added to determine the
amount of reasoning paths to analyse the amplifier using FMMD.
number of reasoning paths to analyse the amplifier using FMMD.
%
The potential divider has a $CC$ of four and the amplifier section a $CC$ of six.
The potential divider has a {\cc} of four and the amplifier section a {\cc} of six.
%
To analyse the inverting amplifier with FMMD it required 10 reasoning stages.
%
@ -417,7 +417,7 @@ Using the diagram in figure~\ref{fig:three_tree}, there are three levels of anal
Starting at the top, there is a {\fg} with three derived components, each of which has
three failure modes.
%
Thus the number of checks to make in the top level is $3^0\times3\times2\times3 = 18$.
Thus the number of checks to make, or {\cc}, in the top level is $3^0\times3\times2\times3 = 18$.
%
On the level below that, there are three {\fgs} each with
an identical number of checks, $3^1 \times 3 \times 2 \times 3 = 56$. %{\fg}
@ -487,17 +487,18 @@ $$
%
For FMMD (where within {\fgs} the analysis \textbf{is exhaustive}) it only requires
720 reasoning paths.
%
%
%
\subsubsection{Plotting XFMEA and FMMD reasoning distance}
Using the gnuplot utility~\cite{gnuplot,Janert:2009:GAU:1631269} and implementing equation~\ref{eqn:fmea_state_exp22} for
XFMEA and equation~\ref{eqn:anscen} for FMMD reasoning distances and using a logarithmic axis for reasoning distance
comparison is performed graphically.
XFMEA and equation~\ref{eqn:anscen} for FMMD reasoning distances and using a logarithmic axis, the reasoning distance
comparison is shown as a graph. %performed graphically.
%
The gnuplot script used to
produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotxfmeafmmdcomp}.
produce the comparison graph %figure~\ref{fig:xfmeafmmdcomp}
is listed in section~\ref{sec:gnuplotxfmeafmmdcomp}.
\begin{figure}[h]
\centering
@ -507,14 +508,18 @@ produce figure~\ref{fig:xfmeafmmdcomp} may be found in section~\ref{sec:gnuplotx
\label{fig:xfmeafmmdcomp}
\end{figure}
Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} it is seen that the reasoning distance
Looking at the graph in figure~\ref{fig:xfmeafmmdcomp} it is seen that acceptable reasoning distances
for large numbers of components becomes extremely difficult to achieve
for traditional FMEA.
%
%
This shows that FMMD, by analysing a system in a modular and hierarchical
way, has reduced the amount of analysis work significantly.
%
It can be seen that the reasoning distance has gone from a polynomial to a logarithmic order.
%
By applying FMMD large group for analysis has be decimated into
a hierarchy of much smaller groups and applied XFMEA {\em within} these.
%By applying FMMD large group for analysis has be decimated into
%a hierarchy of much smaller groups and applied XFMEA {\em within} these.
%
In mathematical terms this means the polynomial order has been converted
to logarithmic by being able to take exponentiation values out
@ -542,12 +547,13 @@ compared to the DFT algorithm.
All the FMMD examples in chapters \ref{sec:chap5}
and \ref{sec:chap6} showed a marked reduction in comparison
complexity compared to the {\XFMEA} worst case figures.
complexity compared to {\XFMEA}. % worst case figures.
%
To calculate {\XFMEA} comparison complexity equation~\ref{eqn:CC} is used.
%
%
Complexity comparison vs. {\XFMEA} for the first three examples
are presented in table~\ref{tbl:firstcc}.
are presented in the following table~\ref{tbl:firstcc}.
%
%\usepackage{multirow}
\begin{table}
@ -614,27 +620,31 @@ are presented in table~\ref{tbl:firstcc}.
\end{table}
% end table
The complexity comparison figures for the example circuits in chapter~\ref{sec:chap5} show
that for the non trival examples, as
that for the non-trivial examples, as
more levels in the FMMD hierarchy are used, the performance
gain over {\XFMEA} becomes apparent. %for increasing complexity the performance benefits from FMMD are apparent.
gain over {\XFMEA} is demonstrated. %becomes apparent. %for increasing complexity the performance benefits from FMMD are apparent.
\clearpage
\subsection{Comparison Complexity for the Bubba Oscillator Example.}
\subsection{Comparison Complexity for the Bubba Oscillator Example}
%
The Bubba oscillator example (see section~\ref{sec:bubba}) was chosen because it had a circular
signal path. It was also analysed twice, once by
signal path.
%
It was also analysed twice, once by
{na\"{\i}vely} using the first {\fgs} identified, and secondly by de-composing
the circuit further.
%
These two analyses are used to compare the effect on comparison complexity (see table~\ref{tbl:bubbacc}) with that of {\XFMEA}.
These two analyses are used to compare the effect on comparison complexity % REF DOES NOT WORK (see table~\ref{tbl:bubbacc11})
with that of {\XFMEA}.
%
\begin{table}
\label{tbl:bubbacc}
\label{tbl:bubbacc11}
%
\begin{tabular}{ |c|l|l|c| }
\hline
\textbf{Hierarchy} & \textbf{Derived} & \textbf{Complexity} & $|fm(c)|$: \textbf{number} \\
\textbf{Level} & \textbf{Component} & \textbf{Comparison} & \textbf{of derived} \\
@ -691,6 +701,7 @@ These two analyses are used to compare the effect on comparison complexity (see
\hline
\end{tabular}
%\label{tbl:bubbacc}
\caption{Complexity Comparison figures for the Bubba Oscillator FMMD example (see section~\ref{sec:bubba}).}
\end{table}
%
@ -757,6 +768,8 @@ This is where the modular approach aids understanding and analysis.
When following this circuit through in a traditional way, following signal paths that
are level shifted, adds to the complication of analysing it for failures.
%
That is the signal path crosses from analogue to digital signalling and vice versa.
%
% \subsection{Exponential squared to Exponential}
%
% can I say that ?
@ -857,7 +870,8 @@ formally;
%
%
\begin{equation}
\exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} .
% \exists f_1,f_2 \in F \dot ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} .
\exists f_1,f_2 \in F \; where\; ( f_1 \neq f_2 \wedge \mathcal{ACTIVE}({f_1}) \wedge \mathcal{ACTIVE}({f_2}) ) \implies F \not\in \mathcal{U} .
\end{equation}
%
%
@ -1218,7 +1232,7 @@ $$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 .$$
%
As the test cases are all different and are of the correct cardinalities (6 single faults and (15-3) double)
there is confidence that all `double combinations' of the possible faults
have been checked in the Pt100 circuit.
have been checked in the Pt100 circuit (see section~\ref{sec:Pt100d}).
%The next task is to investigate
%these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
@ -1292,7 +1306,7 @@ that system will not exhibit faulty behaviour.
%
%We can say that the OK state corresponds to the empty set.
%
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is
Thus the statistical sample space $\Omega$ for a component or derived~component $C$ is:
%$$ \Omega = {OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3} ... failure\_mode_{N} $$
$$ \Omega(C) = \{OK, failure\_mode_{1},failure\_mode_{2},failure\_mode_{3}, \ldots ,failure\_mode_{N}\} . $$
The failure mode set $F$ for a given component or derived~component $C$
@ -1344,7 +1358,8 @@ failure modes are unitary state.
Suppose that a component that can fail simultaneously
with more than one failure mode is included in an analysis.
%
This would make it seemingly impossible to model as `unitary state'.
This would make it %seemingly
impossible to model as `unitary state'.
%
%
\paragraph{De-composition of complex component.}
@ -1355,7 +1370,8 @@ The component could be considered a composite
of two simpler components, and their interaction modelled to
create a derived component (i.e. use FMMD).
%
The second way to do this would be to consider the combinations of non-mutually
The second way %to do this
would be to consider the combinations of non-mutually
exclusive {\fms} as new {\fms}: this approach is discussed below.
\ifthenelse {\boolean{paper}}
@ -1375,8 +1391,8 @@ This technique is outside the scope of this paper.
\end{figure}
\paragraph{Combinations become new failure modes.}
% FUCK OFF
the combinations
%
The combinations
of the non-mutually exclusive failure modes could be considered as new failure modes.
%
An Euler diagram representation of
@ -1417,8 +1433,8 @@ Thus for $P(B_1 \cap B_2) = P(B_1)P(B_2)$ and $P(B_1 \cap B_3) = P(B_1)P(B_3)$.
\caption{Component with two new failure modes}
\label{fig:combco3}
\end{figure}
%OH FUCCCCKKKKKKKKKKKKKKKKK OFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
%
%
Consider the shaded areas as new failure modes of the component (see figure \ref{fig:combco3}).
Because of the combinations, the probabilities for the failure modes
$B_1, B_2$ and $B_3$ will now reduce.
@ -1454,11 +1470,10 @@ of functional groups. These are:
\end{itemize}
%
If a deliberately `bad' {\fg} were chosen it would be found that,
on analysis, the component failure modes would not aggregate--i.e. be collectable as---common
symptoms.
on analysis, the component failure modes would not aggregate i.e. be collectable as common symptoms.
%
This would be because, with non-functionally adjacent
components, their failures often cause non-common failure symptoms. % for the {\fg}.
components, their failures will typically cause non-common failure symptoms. % for the {\fg}.
%
That is a well defined module will typically have a larger number of component failures than failure symptoms.
%
@ -1472,15 +1487,16 @@ to warn of potentially poorly chosen {\fgs}.
\subsubsection{Side Effects: A Problem for FMMD analysis}
\label{sec:sideeffects}
A problem with modularising according to functionality is that it could
have cause failures that would % poss split infinitive
A problem with modularising according to functionality is that %it could
%have cause failures that would % poss split infinitive
components that would
intuitively be associated with one {\fg}
that could cause unintended side effects in other
could cause unintended side effects in other
{\fgs}.
%
For instance to have a component that on failing $SHORT$ could bring down
a voltage supply rail, could have drastic consequences for other
functional groups in the system. % pissare examining.
functional groups in the system. %
\pagebreak[3]
\subsubsection{Example de-coupling capacitors in logic circuits}
@ -1498,8 +1514,8 @@ are a potential source of the symptom, $SUPPLY\_SHORT$.
In a logic chip/digital circuit {\fg} open capacitors are a potential
source of symptoms caused by the failure mode $INTERFERENCE$.
%
So a `symptom' of the power-supply, and a `failure~mode' of
the logic chip to consider.
%So a `symptom' of the power-supply, and a `failure~mode' of
%the logic chip to consider.
%
A possible solution to this is to include the de-coupling capacitors
in the power-supply {\fg}.
@ -1507,13 +1523,13 @@ in the power-supply {\fg}.
% I think so
Because the capacitor has two potential failure modes (EN298),
this raises another issue for FMMD.
%Because the capacitor has two potential failure modes, OPEN and SHORT, % (EN298),
%this raises another issue for FMMD.
%
A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails).
%
But in {\fg} terms, the power supply now has a new symptom that of $INTERFERENCE$.
But in {\fg} terms, the power supply now has a new symptom, that of $INTERFERENCE$.
%
Some logic chips are more susceptible to $INTERFERENCE$ than others.
%
@ -1532,13 +1548,14 @@ This allows for the general principle of a component failure affecting more than
%
This allows functional groups to share components where necessary.
%
This does not break the modularity of the FMMD technique, because, as {\irl},
one component failure may affect more than one sub-system.
%This does not break the modularity of the FMMD technique, because, as {\irl},
%one component failure may affect more than one sub-system.
%
It does uncover a weakness in the FMMD methodology though.
%It does uncover a weakness in the FMMD methodology though.
%
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.
With poorly chosen {\fgs} it would be possible to miss side effects in analysis.
%and include
%the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.
%\section{Evaluation}

2
submission_thesis/appendixes/detailed_analysis.tex
View File

@ -502,7 +502,7 @@ $$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$
\section{Standalone temperature controller}
FMMD analysis tables from chapter~\ref{sec:chap6}.
\label{sec:readPt100}
\subsection{Read\_Pt100: Failure Mode Effects Analysis}
{
\tiny

2
submission_thesis/style.tex
View File

@ -7,7 +7,7 @@
\DeclareMathSymbol{\C}{\mathbin}{AMSb}{"43}
%\DeclareMathSymbol{\hh}{\mathbin}{AMSb}{"48}
\newcommand{\cc}{comparison~complexity}
\newcommand{\ft}{\ensuremath{4\!\!\rightarrow\!\!20mA} }
\newcommand{\tenfifty}{\ensuremath{10\!\!\rightarrow\!\!50mA} }
\usepackage{graphicx}