diff --git a/submission_thesis/CH4_FMMD/copy.tex b/submission_thesis/CH4_FMMD/copy.tex index 80cbd61..4ca2bb4 100644 --- a/submission_thesis/CH4_FMMD/copy.tex +++ b/submission_thesis/CH4_FMMD/copy.tex @@ -488,7 +488,7 @@ FMEA (because the analysis is typically performed in several small stages). \section{Worked Example: Non-Inverting Amplifier} - +\label{sec:noninvamp} %% here bring in sys safety paper from 2011 %% %% GARK BEGIN diff --git a/submission_thesis/CH5_Examples/Makefile b/submission_thesis/CH5_Examples/Makefile index 9da1b77..8c40b2f 100644 --- a/submission_thesis/CH5_Examples/Makefile +++ b/submission_thesis/CH5_Examples/Makefile @@ -5,7 +5,8 @@ PNG_DIA = blockdiagramcircuit2.png bubba_oscillator_block_diagram.png circuit1 poss1finalbubba.png poss2finalbubba.png pt100.png pt100_doublef.png pt100_singlef.png \ pt100_tc.png pt100_tc_sp.png shared_component.png stat_single.png three_tree.png \ tree_abstraction_levels.png vrange.png sigma_delta_block.png ftcontext.png ct1.png hd.png \ - sigdel1.png sdadc.png bubba_euler_1.png bubba_euler_2.png eulersd.png eulersdfinal.png + sigdel1.png sdadc.png bubba_euler_1.png bubba_euler_2.png eulersd.png eulersdfinal.png \ + eulerfivepole.png eulerswhw.png diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index fb9020d..1b10b77 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -26,17 +26,17 @@ a variety of typical embedded system components including analogue/digital and e %Each example has been chosen to demonstrate %FMMD applied to % -The first section -~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs} -(in the context of the safety standards -we are using for our particular project). +% % The first section +% % ~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs} +% % (in the context of the safety standards +% % we are using for our particular project). % -This is followed by several example FMMD analyses, -the first analysing a common configuration of +%This is followed by several example FMMD analyses, +The first applies FMMD to a common configuration of the inverting amplifier (see section~\ref{sec:invamp}) using -an op-amp and two resistors, which demonstrates how the re-use of the potential divider from section~\ref{subsec:potdiv}. -The inverting amplifier is analysed again, but this time with different -{\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed. +an op-amp and two resistors; this demonstrates how the re-use of the potential divider from section~\ref{subsec:potdiv}. +The inverting amplifier is analysed again, but this time with a different +composition of {\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed. %~\ref{sec:chap4} %can be re-used. %, but with provisos. % @@ -44,19 +44,21 @@ The inverting amplifier is analysed again, but this time with different %(see section~\ref{sec:diffamp}) Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used to create a differencing amplifier. -Building on the two approaches section~\ref{sec:invamp}, re-use of the potential divider {\dc} +Building on the two approaches from section~\ref{sec:invamp}, re-use of the non-inverting amplifier {\dc} from section~\ref{sec:invamp} is discussed in the context of this circuit, where its re-use is appropriate in the first stage and not in the second. % Section~\ref{sec:fivepolelp} analyses a Sallen-Key based five pole low pass filter. -This demonstrates FMMD being able to re-use the first Sallen-Key analysis, %encountered as a {\dc} -thus saving time and effort for the analyst. +This demonstrates re-use the first Sallen-Key analysis, %encountered as a {\dc} +increasing test effeciency. %saving time and effort for the analyst. % Section~\ref{sec:bubba} shows FMMD applied to a circular circuit topology---the `Bubba' oscillator---which uses -four op-amp stages with supporting components. +four op-amp stages with supporting components. Two analysis stategies are employed, one using +initially identified {\fgs} and the second using a more complex hierarchy of {\fgs} and {\dcs}. % -Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta analogue to digital converter---again with a circular signal path---but which also operates on both +Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta +analogue to digital converter---again with a circular signal path---which operates on both analogue and digital signals. % % Moving Pt100 to metrics @@ -126,453 +128,461 @@ Finally section~\ref{sec:elecsw} demonstrates FMMD analysis of a combined electr % -\section{Determining the failure modes of components} -\label{sec:determine_fms} -In order to apply any form of FMEA we need to know the ways in which -the components we are using can fail. + +%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX % -A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. +% This section might fit in with the literature review.... Chris thinks its not relevant here +% and I agree 20OCT2012 % -Typically when choosing components for a design, we look at manufacturers' data sheets -which describe functionality, physical dimensions -environmental ranges, tolerances and can indicate how a component may fail/misbehave -under given conditions. -% -How base components could fail internally, is not of interest to an FMEA investigation. -The FMEA investigator needs to know what failure behaviour a component may exhibit. %, or in other words, its modes of failure. -% -A large body of literature exists which gives guidance for determining component {\fms}. -% -For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined. -%Some standards prescribe specific failure modes for generic component types. -In EN298 failure modes for most generic component types are listed, or if not listed, -determined by considering all pins OPEN and all adjacent pins shorted. -%a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted -%are examined. -% -% -FMD-91 is a reference document released into the public domain by the United States DOD -and describes `failures' of common electronic components, with percentage statistics for each failure. -% -FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation. -% -FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of -component {\fms} suitable for use in FMEA. -% -A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for -component types, but does not detail specific failure modes. -% -Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes -of component types. -% -The FMEDA process from European standard EN61508~\cite{en61508} for instance, -requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes. - +%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -% One is from the US military document FMD-91, where internal failures -% of components are described (with stats). -% -% The other is EN298 where the failure modes for generic component types are prescribed, or -% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted -% is applied. These techniques -% -% The FMD-91 entries need, in some cases, some interpretation to be mapped to -% component failure symptoms, but include failure modes that can be due to internal failures. -% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. -% -% Could I come in and see you Chris to quickly discuss these. -% -% I hope to have chapter 5 finished by the end of March, chapter 5 being the -% electronics examples for the FMMD methodology. - -In this section we look in detail at two common electrical components and examine how -the two sources of information define their failure mode behaviour. -We look at the reasons why some known failure modes % are omitted, or presented in -%specific but unintuitive ways. -%We compare the US. military published failure mode specifications wi -can be found in one source but not in the others and vice versa. -% -Finally we compare and contrast the failure modes determined for these components -from the FMD-91 reference source and from the guidelines of the -European burner standard EN298. - -\subsection{Failure mode determination for generic resistor.} -\label{sec:resistorfm} -%- Failure modes. Prescribed failure modes EN298 - FMD91 -\paragraph{Resistor failure modes according to FMD-91.} - - -The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes. -% -FMD-91\cite{fmd91}[3-178] lists many types of resistor -and lists many possible failure causes. -For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes: -\begin{itemize} - \item Opened 52\% - \item Drift 31.8\% - \item Film Imperfections 5.1\% - \item Substrate defects 5.1\% - \item Shorted 3.9\% - \item Lead damage 1.9\% -\end{itemize} -% This information may be of interest to the manufacturer of resistors, but it does not directly -% help a circuit designer. -% The circuit designer is not interested in the causes of resistor failure, but to build in contingency -% against {\fms} that the resistor could exhibit. -% We can determine these {\fms} by converting the internal failure descriptions -% to {\fms} thus: -To make this useful for FMEA/FMMD we must assign each failure cause to an arbitrary failure mode descriptor -as shown below. -% -%and map these failure causes to three symptoms, -%drift (resistance value changing), open and short. - -\begin{itemize} - \item Opened 52\% $\mapsto$ OPENED - \item Drift 31.8\% $\mapsto$ DRIFT - \item Film Imperfections 5.1\% $\mapsto$ OPEN - \item Substrate defects 5.1\% $\mapsto$ OPEN - \item Shorted 3.9\% $\mapsto$ SHORT - \item Lead damage 1.9\% $\mapsto$ OPEN. -\end{itemize} -% -The main causes of drift are overloading of components. -This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure -modes do not include drift. -% -If we can ensure that our resistors will not be exposed to overload conditions, the -probability of drift (sometimes called parameter change) occurring -is significantly reduced, enough for some standards to exclude it~\cite{en298}~\cite{en230}. - -\paragraph{Resistor failure modes according to EN298.} - -EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91. -EN298 requires that a full FMEA be undertaken, examining all failure modes -of all electronic components~\cite{en298}[11.2 5] as part of the certification process. -% -Annex A of EN298, prescribes failure modes for common components -and guidance on determining sets of failure modes for complex components (i.e. integrated circuits). -EN298~\cite{en298}[Annex A] (for most types of resistor) -only requires that the failure mode OPEN be considered for FMEA analysis. -% -For resistor types not specifically listed in EN298, the failure modes -are considered to be either OPEN or SHORT. -The reason that parameter change is not considered for resistors chosen for an EN298 compliant system, is that they must be must be {\em downrated}. -That is to say the power and voltage ratings of components must be calculated -for maximum possible exposure, with a 40\% margin of error. This reduces the probability -that the resistors will be overloaded, -and thus subject to drift/parameter change. - -% XXXXXX get ref from colin T - -%If a resistor was rated for instance for - -%These are useful for resistor manufacturersthey have three failure modes -%EN298 -%Parameter change not considered for EN298 because the resistors are down-rated from -%maximum possible voltage exposure -- find refs. - - -% FMD-91 gives the following percentages for failure rates in -% \label{downrate} -% The parameter change, is usually a failure mode associated with over stressing the component. -%In a system designed to typical safety critical constraints (as in EN298) -%these environmentally induced failure modes need not be considered. - -\subsubsection{Resistor Failure Modes} -\label{sec:res_fms} -For this study we will take the conservative view from EN298, and consider the failure -modes for a generic resistor to be both OPEN and SHORT. -i.e. -\label{ros} -$$ fm(R) = \{ OPEN, SHORT \} . $$ - -\subsection{Failure modes determination for generic operational amplifier} - -\begin{figure}[h+] - \centering - \includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg} - % lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261 - \caption{Pinout for an LM358 dual OpAmp} - \label{fig:lm258} -\end{figure} - -The operational amplifier (op-amp) %is a differential amplifier and -is very widely used in nearly all fields of modern analogue electronics. -They are typically packaged in dual or quad configurations---meaning -that a chip will typically contain two or four amplifiers. -For the purpose of example, we look at -a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358} -(see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298. - -\paragraph{ Failure Modes of an OpAmp according to FMD-91 } - -%Literature suggests, latch up, latch down and oscillation. -For OpAmp failures modes, FMD-91\cite{fmd91}{3-116] states, -\begin{itemize} - \item Degraded Output 50\% Low Slew rate - poor die attach - \item No Operation - overstress 31.3\% - \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier 12.5\% - \item Opened $V_+$ open 6.3\% -\end{itemize} - -Again these are mostly internal causes of failure, more of interest to the component manufacturer -than a designer looking for the symptoms of failure. -We need to translate these failure causes within the OpAmp into {\fms}. -We can look at each failure cause in turn, and map it to potential {\fms} suitable for use in FMEA -investigations. - -\paragraph{OpAmp failure cause: Poor Die attach} -The symptom for this is given as a low slew rate. This means that the op-amp -will not react quickly to changes on its input terminals. -This is a failure symptom that may not be of concern in a slow responding system like an -instrumentation amplifier. However, where higher frequencies are being processed, -a signal may entirely be lost. -We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. - -\paragraph{No Operation - over stress} -Here the OP\_AMP has been damaged, and the output may be held HIGH or LOW, or may be effectively tri-stated -, i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation). -% -We can map this failure cause to three {\fms}, $LOW$, $HIGH$, $NOOP$. - -\paragraph{Shorted $V_+$ to $V_-$} -Due to the high intrinsic gain of an op-amp, and the effect of offset currents, -this will force the output HIGH or LOW. -We map this failure cause to $HIGH$ or $LOW$. - -\paragraph{Open $V_+$} -This failure cause will mean that the minus input will have the very high gain -of the OpAmp applied to it, and the output will be forced HIGH or LOW. -We map this failure cause to $HIGH$ or $LOW$. - -\paragraph{Collecting OpAmp failure modes from FMD-91} -We can define an OpAmp, under FMD-91 definitions to have the following {\fms}. -\begin{equation} - \label{eqn:opampfms} - fm(OpAmp) = \{ HIGH, LOW, NOOP, LOW_{slew} \} -\end{equation} - - -\paragraph{Failure Modes of an OpAmp according to EN298} - -EN298 does not specifically define OP\_AMPS failure modes; these can be determined -by following a procedure for `integrated~circuits' outlined in -annex~A~\cite{en298}[A.1 note e]. -This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios. -We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$ -and determine its {\fms} in table ~\ref{tbl:lm358}. -Collecting the op-amp failure modes from table ~\ref{tbl:lm358} we obtain the same {\fms} -that we got from FMD-91, listed in equation~\ref{eqn:opampfms}. - - - -%\paragraph{EN298: Open and shorted pin failure symptom determination technique} - - - - - -\begin{table}[h+] -\caption{LM358: EN298 Open and shorted pin failure symptom determination technique} -\begin{tabular}{|| l | l | c | c | l ||} \hline - %\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\ - \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\ - \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\ - - \hline - - & & & & \\ \hline - - FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline - - FS2: PIN 2 OPEN & & A-input disconnected, & & \\ - & & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline - - FS3: PIN 3 OPEN & & A+input disconnected, & & \\ - & & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline - - FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline - - - FS5: PIN 5 OPEN & & B+input disconnected, & & \\ - & & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline - - FS6: PIN 6 OPEN & & B-input disconnected, & & \\ - FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline - - - FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline - - FS8: PIN 8 OPEN & & power to chip & & \\ - FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline - & & & & \\ - & & & & \\ - - & & & & \\ \hline - - FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline - - FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\ - & & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline - - FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline - - FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\ - & & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline - - FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline - - FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline - - -\hline -\end{tabular} -\label{tbl:lm358} -\end{table} - - -%\clearpage - -\subsubsection{Failure modes of an OpAmp} - -\label{sec:opamp_fms} -For the purpose of the examples to follow, the op-amp will -have the following failure modes:- - -$$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$ - - -\subsection{Comparing the component failure mode sources} - - -The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures. -The FMD-91 entries for op-amps are not directly usable as -component {\fms} in FMEA or FMMD and require interpretation. - -%For our OpAmp example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$) -%is missing from the EN298 failure modes set. - - -% FMD-91 -% -% I have been working on two examples of determining failure modes of components. -% One is from the US military document FMD-91, where internal failures -% of components are described (with stats). -% -% The other is EN298 where the failure modes for generic component types are prescribed, or -% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted -% is applied. These techniques -% -% The FMD-91 entries need, in some cases, some interpretation to be mapped to -% component failure symptoms, but include failure modes that can be due to internal failures. -% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. -% -% Could I come in and see you Chris to quickly discuss these. -% -% I hope to have chapter 5 finished by the end of March, chapter 5 being the -% electronics examples for the FMMD methodology. - - - - - -\clearpage - - -%% -%% Paragraph using failure modes to build from bottom up -%% - - - - - -% \section{ FMMD overview} -% -% In the next sections we apply FMMD to electronic circuits, analogue/digital and electronic/software hybrids. -% The basic principles of FMMD are presented here for clarity. -% -% \paragraph{ Creating a fault hierarchy.} -% The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc} -% level up to the top, or system level, with analysis stages between each -% transition to a higher level in the hierarchy. -% -% -% The first stage is to choose -% {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components. -% %These parts all have associated fault modes. A module is a set fault~modes. -% From the point of view of failure analysis, -% we are not interested in the components themselves, but in the ways in which they can fail. -% -% A {\fg} is a collection of components that perform some simple task or function. +% \section{Determining the failure modes of components} +% \label{sec:determine_fms} +% In order to apply any form of FMEA we need to know the ways in which +% the components we are using can fail. % % -% In order to determine how a {\fg} can fail, -% we need to consider all the failure modes of all its components. +% A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. % % -% By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes, -% we can determine its symptoms of failure. -% %In fact we can call these -% %the symptoms of failure for the {\fg}. -% -% With these symptoms (a set of derived faults from the perspective of the {\fg}) -% we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways. +% Typically when choosing components for a design, we look at manufacturers' data sheets +% which describe functionality, physical dimensions +% environmental ranges, tolerances and can indicate how a component may fail/misbehave +% under given conditions. % % -% In other words, we have taken a {\fg} and analysed how -% \textbf{it} can fail according to the failure modes of its components, and then can -% determine the {\fg} failure modes. -% -% \paragraph{Creating a derived component.} -% We create a new `{\dc}' which has -% the failure symptoms of the {\fg} from which it was derived, as its set of failure modes. -% This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}. +% How base components could fail internally, is not of interest to an FMEA investigation. +% The FMEA investigator needs to know what failure behaviour a component may exhibit. %, or in other words, its modes of failure. % % -% \paragraph{An example of a {\dc}.} -% To give an example of this, we could look at the components that -% form, say an amplifier. We look at how all the components within it -% could fail and how that would affect the amplifier. +% A large body of literature exists which gives guidance for determining component {\fms}. % % -% The ways in which the amplifier can be affected are its symptoms. +% For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined. +% %Some standards prescribe specific failure modes for generic component types. +% In EN298 failure modes for most generic component types are listed, or if not listed, +% determined by considering all pins OPEN and all adjacent pins shorted. +% %a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +% %are examined. +% % % % -% When we have determined the symptoms, we can -% create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). -% We can now treat $AMP1$ as a pre-analysed, higher level component. -% %The amplifier is an abstract concept, in terms of the components. -% To a make an `amplifier' we have to connect a group of components -% in a specific configuration. This specific configuration corresponds to -% a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}. -% -% -% %What this means is the `fault~symptoms' of the module have been derived. +% FMD-91 is a reference document released into the public domain by the United States DOD +% and describes `failures' of common electronic components, with percentage statistics for each failure. % % -% %When we have determined the fault~modes at the module level these can become a set of derived faults. -% %By taking sets of derived faults (module level faults) we can combine these to form modules -% %at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way, -% %to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed -% %as parts, parts which may now be combined to create new functional groups, -% %but as parts at a higher level of fault abstraction. -% \paragraph{Building the Hierarchy.} -% We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}. -% We can bring {\dcs} -% together to form functional groups and then create new {\dcs} -% at even higher abstraction levels. Eventually we will have a hierarchy -% that converges to one top level {\dc}. At this stage we have a complete failure -% mode model of the system under investigation. +% FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation. +% % +% FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of +% component {\fms} suitable for use in FMEA. +% +% A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for +% component types, but does not detail specific failure modes. +% % +% Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes +% of component types. +% % +% The FMEDA process from European standard EN61508~\cite{en61508} for instance, +% requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes. % -% \begin{figure}[h] +% +% % One is from the US military document FMD-91, where internal failures +% % of components are described (with stats). +% % +% % The other is EN298 where the failure modes for generic component types are prescribed, or +% % determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +% % is applied. These techniques +% % +% % The FMD-91 entries need, in some cases, some interpretation to be mapped to +% % component failure symptoms, but include failure modes that can be due to internal failures. +% % The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. +% % +% % Could I come in and see you Chris to quickly discuss these. +% % +% % I hope to have chapter 5 finished by the end of March, chapter 5 being the +% % electronics examples for the FMMD methodology. +% +% In this section we look in detail at two common electrical components and examine how +% the two sources of information define their failure mode behaviour. +% We look at the reasons why some known failure modes % are omitted, or presented in +% %specific but unintuitive ways. +% %We compare the US. military published failure mode specifications wi +% can be found in one source but not in the others and vice versa. +% % +% Finally we compare and contrast the failure modes determined for these components +% from the FMD-91 reference source and from the guidelines of the +% European burner standard EN298. +% +% \subsection{Failure mode determination for generic resistor.} +% \label{sec:resistorfm} +% %- Failure modes. Prescribed failure modes EN298 - FMD91 +% \paragraph{Resistor failure modes according to FMD-91.} +% +% +% The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes. +% % +% FMD-91\cite{fmd91}[3-178] lists many types of resistor +% and lists many possible failure causes. +% For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes: +% \begin{itemize} +% \item Opened 52\% +% \item Drift 31.8\% +% \item Film Imperfections 5.1\% +% \item Substrate defects 5.1\% +% \item Shorted 3.9\% +% \item Lead damage 1.9\% +% \end{itemize} +% % This information may be of interest to the manufacturer of resistors, but it does not directly +% % help a circuit designer. +% % The circuit designer is not interested in the causes of resistor failure, but to build in contingency +% % against {\fms} that the resistor could exhibit. +% % We can determine these {\fms} by converting the internal failure descriptions +% % to {\fms} thus: +% To make this useful for FMEA/FMMD we must assign each failure cause to an arbitrary failure mode descriptor +% as shown below. +% % +% %and map these failure causes to three symptoms, +% %drift (resistance value changing), open and short. +% +% \begin{itemize} +% \item Opened 52\% $\mapsto$ OPENED +% \item Drift 31.8\% $\mapsto$ DRIFT +% \item Film Imperfections 5.1\% $\mapsto$ OPEN +% \item Substrate defects 5.1\% $\mapsto$ OPEN +% \item Shorted 3.9\% $\mapsto$ SHORT +% \item Lead damage 1.9\% $\mapsto$ OPEN. +% \end{itemize} +% % +% The main causes of drift are overloading of components. +% This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure +% modes do not include drift. +% % +% If we can ensure that our resistors will not be exposed to overload conditions, the +% probability of drift (sometimes called parameter change) occurring +% is significantly reduced, enough for some standards to exclude it~\cite{en298}~\cite{en230}. +% +% \paragraph{Resistor failure modes according to EN298.} +% +% EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91. +% EN298 requires that a full FMEA be undertaken, examining all failure modes +% of all electronic components~\cite{en298}[11.2 5] as part of the certification process. +% % +% Annex A of EN298, prescribes failure modes for common components +% and guidance on determining sets of failure modes for complex components (i.e. integrated circuits). +% EN298~\cite{en298}[Annex A] (for most types of resistor) +% only requires that the failure mode OPEN be considered for FMEA analysis. +% % +% For resistor types not specifically listed in EN298, the failure modes +% are considered to be either OPEN or SHORT. +% The reason that parameter change is not considered for resistors chosen for an EN298 compliant system, is that they must be must be {\em downrated}. +% That is to say the power and voltage ratings of components must be calculated +% for maximum possible exposure, with a 40\% margin of error. This reduces the probability +% that the resistors will be overloaded, +% and thus subject to drift/parameter change. +% +% % XXXXXX get ref from colin T +% +% %If a resistor was rated for instance for +% +% %These are useful for resistor manufacturersthey have three failure modes +% %EN298 +% %Parameter change not considered for EN298 because the resistors are down-rated from +% %maximum possible voltage exposure -- find refs. +% +% +% % FMD-91 gives the following percentages for failure rates in +% % \label{downrate} +% % The parameter change, is usually a failure mode associated with over stressing the component. +% %In a system designed to typical safety critical constraints (as in EN298) +% %these environmentally induced failure modes need not be considered. +% +% \subsubsection{Resistor Failure Modes} +% \label{sec:res_fms} +% For this study we will take the conservative view from EN298, and consider the failure +% modes for a generic resistor to be both OPEN and SHORT. +% i.e. +% \label{ros} +% $$ fm(R) = \{ OPEN, SHORT \} . $$ +% +% \subsection{Failure modes determination for generic operational amplifier} +% +% \begin{figure}[h+] % \centering -% \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} -% % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292 -% \caption{FMMD Hierarchy showing ascending abstraction levels} -% \label{fig:treeabslev} +% \includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg} +% % lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261 +% \caption{Pinout for an LM358 dual OpAmp} +% \label{fig:lm258} % \end{figure} % -% Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg} -% is shown as a `$\derivec$' symbol. +% The operational amplifier (op-amp) %is a differential amplifier and +% is very widely used in nearly all fields of modern analogue electronics. +% They are typically packaged in dual or quad configurations---meaning +% that a chip will typically contain two or four amplifiers. +% For the purpose of example, we look at +% a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358} +% (see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298. +% +% \paragraph{ Failure Modes of an OpAmp according to FMD-91 } +% +% %Literature suggests, latch up, latch down and oscillation. +% For OpAmp failures modes, FMD-91\cite{fmd91}{3-116] states, +% \begin{itemize} +% \item Degraded Output 50\% Low Slew rate - poor die attach +% \item No Operation - overstress 31.3\% +% \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier 12.5\% +% \item Opened $V_+$ open 6.3\% +% \end{itemize} +% +% Again these are mostly internal causes of failure, more of interest to the component manufacturer +% than a designer looking for the symptoms of failure. +% We need to translate these failure causes within the OpAmp into {\fms}. +% We can look at each failure cause in turn, and map it to potential {\fms} suitable for use in FMEA +% investigations. +% +% \paragraph{OpAmp failure cause: Poor Die attach} +% The symptom for this is given as a low slew rate. This means that the op-amp +% will not react quickly to changes on its input terminals. +% This is a failure symptom that may not be of concern in a slow responding system like an +% instrumentation amplifier. However, where higher frequencies are being processed, +% a signal may entirely be lost. +% We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. +% +% \paragraph{No Operation - over stress} +% Here the OP\_AMP has been damaged, and the output may be held HIGH or LOW, or may be effectively tri-stated +% , i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation). +% % +% We can map this failure cause to three {\fms}, $LOW$, $HIGH$, $NOOP$. +% +% \paragraph{Shorted $V_+$ to $V_-$} +% Due to the high intrinsic gain of an op-amp, and the effect of offset currents, +% this will force the output HIGH or LOW. +% We map this failure cause to $HIGH$ or $LOW$. +% +% \paragraph{Open $V_+$} +% This failure cause will mean that the minus input will have the very high gain +% of the OpAmp applied to it, and the output will be forced HIGH or LOW. +% We map this failure cause to $HIGH$ or $LOW$. +% +% \paragraph{Collecting OpAmp failure modes from FMD-91} +% We can define an OpAmp, under FMD-91 definitions to have the following {\fms}. +% \begin{equation} +% \label{eqn:opampfms} +% fm(OpAmp) = \{ HIGH, LOW, NOOP, LOW_{slew} \} +% \end{equation} % % -% +% \paragraph{Failure Modes of an OpAmp according to EN298} % +% EN298 does not specifically define OP\_AMPS failure modes; these can be determined +% by following a procedure for `integrated~circuits' outlined in +% annex~A~\cite{en298}[A.1 note e]. +% This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios. +% We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$ +% and determine its {\fms} in table ~\ref{tbl:lm358}. +% Collecting the op-amp failure modes from table ~\ref{tbl:lm358} we obtain the same {\fms} +% that we got from FMD-91, listed in equation~\ref{eqn:opampfms}. +% +% +% +% %\paragraph{EN298: Open and shorted pin failure symptom determination technique} +% +% +% +% +% +% \begin{table}[h+] +% \caption{LM358: EN298 Open and shorted pin failure symptom determination technique} +% \begin{tabular}{|| l | l | c | c | l ||} \hline +% %\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\ +% \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\ +% \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\ +% +% \hline +% +% & & & & \\ \hline +% +% FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline +% +% FS2: PIN 2 OPEN & & A-input disconnected, & & \\ +% & & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline +% +% FS3: PIN 3 OPEN & & A+input disconnected, & & \\ +% & & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline +% +% FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline +% +% +% FS5: PIN 5 OPEN & & B+input disconnected, & & \\ +% & & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline +% +% FS6: PIN 6 OPEN & & B-input disconnected, & & \\ +% FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline +% +% +% FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline +% +% FS8: PIN 8 OPEN & & power to chip & & \\ +% FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline +% & & & & \\ +% & & & & \\ +% +% & & & & \\ \hline +% +% FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline +% +% FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\ +% & & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline +% +% FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline +% +% FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\ +% & & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline +% +% FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline +% +% FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline +% +% +% \hline +% \end{tabular} +% \label{tbl:lm358} +% \end{table} +% +% +% %\clearpage +% +% \subsubsection{Failure modes of an OpAmp} +% +% \label{sec:opamp_fms} +% For the purpose of the examples to follow, the op-amp will +% have the following failure modes:- +% +% $$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$ +% +% +% \subsection{Comparing the component failure mode sources} +% +% +% The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures. +% The FMD-91 entries for op-amps are not directly usable as +% component {\fms} in FMEA or FMMD and require interpretation. +% +% %For our OpAmp example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$) +% %is missing from the EN298 failure modes set. +% +% +% % FMD-91 +% % +% % I have been working on two examples of determining failure modes of components. +% % One is from the US military document FMD-91, where internal failures +% % of components are described (with stats). +% % +% % The other is EN298 where the failure modes for generic component types are prescribed, or +% % determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted +% % is applied. These techniques +% % +% % The FMD-91 entries need, in some cases, some interpretation to be mapped to +% % component failure symptoms, but include failure modes that can be due to internal failures. +% % The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC. +% % +% % Could I come in and see you Chris to quickly discuss these. +% % +% % I hope to have chapter 5 finished by the end of March, chapter 5 being the +% % electronics examples for the FMMD methodology. +% +% +% +% +% +% \clearpage +% +% +% %% +% %% Paragraph using failure modes to build from bottom up +% %% +% +% +% +% +% +% % \section{ FMMD overview} +% % +% % In the next sections we apply FMMD to electronic circuits, analogue/digital and electronic/software hybrids. +% % The basic principles of FMMD are presented here for clarity. +% % +% % \paragraph{ Creating a fault hierarchy.} +% % The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc} +% % level up to the top, or system level, with analysis stages between each +% % transition to a higher level in the hierarchy. +% % +% % +% % The first stage is to choose +% % {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components. +% % %These parts all have associated fault modes. A module is a set fault~modes. +% % From the point of view of failure analysis, +% % we are not interested in the components themselves, but in the ways in which they can fail. +% % +% % A {\fg} is a collection of components that perform some simple task or function. +% % % +% % In order to determine how a {\fg} can fail, +% % we need to consider all the failure modes of all its components. +% % % +% % By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes, +% % we can determine its symptoms of failure. +% % %In fact we can call these +% % %the symptoms of failure for the {\fg}. +% % +% % With these symptoms (a set of derived faults from the perspective of the {\fg}) +% % we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways. +% % % +% % In other words, we have taken a {\fg} and analysed how +% % \textbf{it} can fail according to the failure modes of its components, and then can +% % determine the {\fg} failure modes. +% % +% % \paragraph{Creating a derived component.} +% % We create a new `{\dc}' which has +% % the failure symptoms of the {\fg} from which it was derived, as its set of failure modes. +% % This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}. +% % % +% % \paragraph{An example of a {\dc}.} +% % To give an example of this, we could look at the components that +% % form, say an amplifier. We look at how all the components within it +% % could fail and how that would affect the amplifier. +% % % +% % The ways in which the amplifier can be affected are its symptoms. +% % % +% % When we have determined the symptoms, we can +% % create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). +% % We can now treat $AMP1$ as a pre-analysed, higher level component. +% % %The amplifier is an abstract concept, in terms of the components. +% % To a make an `amplifier' we have to connect a group of components +% % in a specific configuration. This specific configuration corresponds to +% % a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}. +% % +% % +% % %What this means is the `fault~symptoms' of the module have been derived. +% % % +% % %When we have determined the fault~modes at the module level these can become a set of derived faults. +% % %By taking sets of derived faults (module level faults) we can combine these to form modules +% % %at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way, +% % %to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed +% % %as parts, parts which may now be combined to create new functional groups, +% % %but as parts at a higher level of fault abstraction. +% % \paragraph{Building the Hierarchy.} +% % We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}. +% % We can bring {\dcs} +% % together to form functional groups and then create new {\dcs} +% % at even higher abstraction levels. Eventually we will have a hierarchy +% % that converges to one top level {\dc}. At this stage we have a complete failure +% % mode model of the system under investigation. +% % +% % \begin{figure}[h] +% % \centering +% % \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} +% % % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292 +% % \caption{FMMD Hierarchy showing ascending abstraction levels} +% % \label{fig:treeabslev} +% % \end{figure} +% % +% % Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg} +% % is shown as a `$\derivec$' symbol. +% % +% % +% % +% % \clearpage \section{Example Analysis: Inverting OPAMP} @@ -596,11 +606,15 @@ Both approaches are followed in the next two sub-sections. \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} -We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}---that potential divider would only be valid if the input signal were negative. -We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'. -If we can refine the operational states of the functional group, we can obtain clearer -symptoms. -If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}). +We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}, not simply because +the potential divider is inverted, but, in addition the +output feedback forms a current balance with the input signal. %---that potential divider would only be valid if the input signal were negative. +%We want if possible to have detectable errors. +%HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'. +%If we can refine the operational states of the functional group, we can obtain clearer +%symptoms. +Were the input to be guaranteed % the input will only be +positive, we could the potential divider (see table~\ref{tbl:pdneg}). \begin{table}[h+] \caption{Inverted Potential divider: Single failure analysis} @@ -664,7 +678,7 @@ We can form a {\dc} from this, and call it an inverted potential divider $INVPD$ We can now form a {\fg} from the OpAmp and the $INVPD$ \begin{table}[h+] -\caption{Inverting Amplifier: Single failure analysis} +\caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline \textbf{Failure} & & \textbf{Inverted Amp. Effect} & & \textbf{Derived Component} \\ @@ -672,13 +686,13 @@ We can now form a {\fg} from the OpAmp and the $INVPD$ \hline FS1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\ - FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\ + FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\ \hline - FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline + FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ - FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline + FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ - FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline + FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline \hline @@ -819,20 +833,19 @@ derived component. FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\ % FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline - FS2: R1 OPEN & & zero output & & $ LOW $ \\ + FS2: R1 OPEN & & zero output & & $ LOW $ \\ \hline % FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\ % FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline - FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\ + FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\ \hline % FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline - FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline + FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ - FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline - - FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline + FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ + FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline \hline @@ -855,15 +868,19 @@ $$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$ \subsection{Comparison between the two approaches} \label{sec:invampcc} -The first analysis looks at an inverted potential divider, analyses its failure modes, -and from this we obtain a {\dc} (INVPD). -We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD. - +The first analysis used two FMMD stages. +The first stage analysed an inverted potential divider %, analyses its failure modes, +giving the {\dc}(INVPD). +The second stage analysed a {\fg} comprised of the INVPD and an OpAmp. +% The second analysis (3 components) has to look at the effects of each failure mode of each resistor -on the op-amp circuit. This means more work for the analyst---that is -an increase in the complexity of the analysis---than -simply comparing the two known failure modes -from the pre-analysed inverted potential divider. +on the op-amp circuit. This meant more work for the analyst---that is +an increase in the complexity of the analysis---compared to +checking the two known failure modes +from the pre-analysed inverted potential divider against the OpAmp. +% +Both analysis strategies obtained the same failure modes for the +inverting amplifier (i.e. the same failure modes for the {\dc} INVAMP). % METRICS The complexity comparison figures % METRICS bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$ @@ -898,163 +915,170 @@ the input voltages $+V1$ and $+V2$. The circuit is configured so that both inputs use the non-inverting, and thus high impedance inputs, meaning that they will not electrically over-load and/or unduly influence -the sensors supplying the voltage signals used for measurement. +the sensors or circuitry supplying the voltage signals used for measurement. It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$. We begin by identifying functional groups from the components in the circuit. - -\subsection{Functional Group: Potential Divider} -For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{subsec:potdiv}. - -%R1 and R2 perform as a potential divider. -%Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A). -%$$ fm(R) = \{ OPEN, SHORT \}$$ - - - +% WE CAN RE_USE THE NONINVAMP FROM CHAPTER 4 HERE....... +% \subsection{Functional Group: Potential Divider} +% For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{subsec:potdiv}. +% +% %R1 and R2 perform as a potential divider. +% %Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A). +% %$$ fm(R) = \{ OPEN, SHORT \}$$ +% +% +% +% % \begin{table}[ht] +% % \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table +% % \centering % used for centering table +% % \begin{tabular}{||l|c|c|l|l||} +% % \hline \hline +% % \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\ +% % \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% % % R & wire & res + & res - & description +% % \hline +% % \hline +% % TC1: $R_1$ SHORT & LOW & & LowPD \\ +% % TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline +% % TC3: $R_2$ SHORT & HIGH & & HighPD \\ +% % TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline +% % \hline +% % \end{tabular} +% % \label{tbl:pdfmea} +% % \end{table} +% % +% % By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived +% % component $PD$ to represent the failure mode behaviour +% % of a potential divider. +% +% Thus for single failure modes, a potential divider can fail +% with $fm(PD) = \{PDHigh,PDLow\}$. +% +% +% The potential divider is used to program the gain of IC1. +% IC1 and PD provide the function of buffering +% /amplifying the signal $+V1$. +% We can now examine IC1 and PD as a functional group. +% +% \pagebreak[3] +% \subsection{Functional Group: Amplifier first stage} +% +% Let use now consider the op-amp. According to +% FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: +% latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). +% +% +% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ +% +% +% By bringing the $PD$ derived component and the $OPAMP$ into +% a functional group we can analyse its failure mode behaviour. +% +% % \begin{table}[ht] -% \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table +% \caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table % \centering % used for centering table % \begin{tabular}{||l|c|c|l|l||} % \hline \hline -% \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\ -% \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% %\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\ +% %\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ +% \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\ +% \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\ +% % % R & wire & res + & res - & description % \hline % \hline -% TC1: $R_1$ SHORT & LOW & & LowPD \\ -% TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline -% TC3: $R_2$ SHORT & HIGH & & HighPD \\ -% TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline +% TC1: $OPAMP$ LatchUP & & Output High & & AMPHigh \\ +% TC2: $OPAMP$ LatchDown & & Output Low : Low gain& & AMPLow \\ \hline +% TC3: $OPAMP$ No Operation & & Output Low & & AMPLow \\ +% TC4: $OPAMP$ Low Slew & & Low pass filtering & & LowPass \\ \hline +% TC5: $PD$ LowPD & & Output High & & AMPHigh \\ \hline +% TC6: $PD$ HighPD & & Output Low : Low Gain& & AMPLow \\ \hline +% %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline % \hline % \end{tabular} -% \label{tbl:pdfmea} +% \label{ampfmea} % \end{table} % -% By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived -% component $PD$ to represent the failure mode behaviour -% of a potential divider. +% +% Collecting the symptoms we can see that this amplifier fails +% in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$. +% We can now create a derived component, $NI\_AMP$, to represent it. +% The FMMD reasoning process is represented in the DAG in figure~\ref{fig:noninvdag11}. +% -Thus for single failure modes, a potential divider can fail -with $fm(PD) = \{PDHigh,PDLow\}$. +Looking first at the components in the signal path, we notice that we have a non-inverting +amplifier formed by R1,R2 and IC1. In fact apart from being +inverted visually on the schematic it is identical to the example +used in section~\ref{sec:noninvamp} (the first practical example used to demonstrate FMMD). +We thus re-use this and can express the failure modes for it thus: - -The potential divider is used to program the gain of IC1. -IC1 and PD provide the function of buffering -/amplifying the signal $+V1$. -We can now examine IC1 and PD as a functional group. - -\pagebreak[3] -\subsection{Functional Group: Amplifier first stage} - -Let use now consider the op-amp. According to -FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes: -latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). - - -$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ - - -By bringing the $PD$ derived component and the $OPAMP$ into -a functional group we can analyse its failure mode behaviour. - - -\begin{table}[ht] -\caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table -\centering % used for centering table -\begin{tabular}{||l|c|c|l|l||} -\hline \hline - %\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\ - %\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\ - \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\ - \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\ - -% R & wire & res + & res - & description -\hline -\hline - TC1: $OPAMP$ LatchUP & & Output High & & AMPHigh \\ - TC2: $OPAMP$ LatchDown & & Output Low : Low gain& & AMPLow \\ \hline - TC3: $OPAMP$ No Operation & & Output Low & & AMPLow \\ - TC4: $OPAMP$ Low Slew & & Low pass filtering & & LowPass \\ \hline - TC5: $PD$ LowPD & & Output High & & AMPHigh \\ \hline - TC6: $PD$ HighPD & & Output Low : Low Gain& & AMPLow \\ \hline - %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline -\hline -\end{tabular} -\label{ampfmea} -\end{table} - - -Collecting the symptoms we can see that this amplifier fails -in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$. -We can now create a derived component, $NI\_AMP$, to represent it. -The FMMD reasoning process is represented in the DAG in figure~\ref{fig:noninvdag11}. - -$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} $$ - - -\begin{figure}[h+] - \centering - \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep] - \tikzstyle{every pin edge}=[<-,shorten <=1pt] - \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt] - \tikzstyle{component}=[fmmde, fill=green!50]; - \tikzstyle{failure}=[fmmde, fill=red!50]; - \tikzstyle{symptom}=[fmmde, fill=blue!50]; - \tikzstyle{annot} = [text width=4em, text centered] - - - \node[component] (OPAMP) at (0,-1.8) {$OPAMP$}; - \node[component] (R1) at (0,-6) {$R_1$}; - \node[component] (R2) at (0,-7.6) {$R_2$}; - - - \node[failure] (OPAMPLU) at (\layersep,-0) {l-up}; - \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn}; - \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop}; - \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew}; - - \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$}; - \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$}; - - \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$}; - \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$}; - - \path (OPAMP) edge (OPAMPLU); - \path (OPAMP) edge (OPAMPLD); - \path (OPAMP) edge (OPAMPNP); -\path (OPAMP) edge (OPAMPLS); - - \path (R1) edge (R1SHORT); - \path (R1) edge (R1OPEN); - - \path (R2) edge (R2SHORT); - \path (R2) edge (R2OPEN); - - - % Potential divider failure modes - % - \node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$}; - \node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$}; - \path (R1OPEN) edge (PDHIGH); - \path (R2SHORT) edge (PDHIGH); - \path (R2OPEN) edge (PDLOW); - \path (R1SHORT) edge (PDLOW); - \node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$}; - \node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$}; - \node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$}; - \path (PDLOW) edge (AMPHIGH); - \path (OPAMPLU) edge (AMPHIGH); - \path (PDHIGH) edge (AMPLOW); - \path (OPAMPNP) edge (AMPLOW); - \path (OPAMPLD) edge (AMPLOW); - \path (OPAMPLS) edge (AMPLP); - - \end{tikzpicture} - % End of code - \caption{Full DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit} - \label{fig:noninvdag11} - \end{figure} +$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} .$$ +% +% +% \begin{figure}[h+] +% \centering +% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep] +% \tikzstyle{every pin edge}=[<-,shorten <=1pt] +% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt] +% \tikzstyle{component}=[fmmde, fill=green!50]; +% \tikzstyle{failure}=[fmmde, fill=red!50]; +% \tikzstyle{symptom}=[fmmde, fill=blue!50]; +% \tikzstyle{annot} = [text width=4em, text centered] +% +% +% \node[component] (OPAMP) at (0,-1.8) {$OPAMP$}; +% \node[component] (R1) at (0,-6) {$R_1$}; +% \node[component] (R2) at (0,-7.6) {$R_2$}; +% +% +% \node[failure] (OPAMPLU) at (\layersep,-0) {l-up}; +% \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn}; +% \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop}; +% \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew}; +% +% \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$}; +% \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$}; +% +% \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$}; +% \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$}; +% +% \path (OPAMP) edge (OPAMPLU); +% \path (OPAMP) edge (OPAMPLD); +% \path (OPAMP) edge (OPAMPNP); +% \path (OPAMP) edge (OPAMPLS); +% +% \path (R1) edge (R1SHORT); +% \path (R1) edge (R1OPEN); +% +% \path (R2) edge (R2SHORT); +% \path (R2) edge (R2OPEN); +% +% +% % Potential divider failure modes +% % +% \node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$}; +% \node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$}; +% \path (R1OPEN) edge (PDHIGH); +% \path (R2SHORT) edge (PDHIGH); +% \path (R2OPEN) edge (PDLOW); +% \path (R1SHORT) edge (PDLOW); +% \node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$}; +% \node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$}; +% \node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$}; +% \path (PDLOW) edge (AMPHIGH); +% \path (OPAMPLU) edge (AMPHIGH); +% \path (PDHIGH) edge (AMPLOW); +% \path (OPAMPNP) edge (AMPLOW); +% \path (OPAMPLD) edge (AMPLOW); +% \path (OPAMPLS) edge (AMPLP); +% +% \end{tikzpicture} +% % End of code +% \caption{Full DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit} +% \label{fig:noninvdag11} +% \end{figure} @@ -1062,7 +1086,7 @@ $$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} $$ The second stage of this amplifier, following the signal path, is the amplifier consisting of $R3,R4,IC2$. - +% This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier. The first amplifier was grounded and received as input `+V1' (presumably a positive voltage). @@ -1088,15 +1112,15 @@ Here it is more intuitive to model the resistors not as a potential divider, but \hline \hline TC1: $OPAMP$ LatchUP & Output High & AMPHigh \\ - TC2: $OPAMP$ LatchDown & Output Low : Low gain & AMPLow \\ \hline + TC2: $OPAMP$ LatchDown & Output Low : Low gain & AMPLow \\ TC3: $OPAMP$ No Operation & Output Low & AMPLow \\ TC4: $OPAMP$ Low Slew & Low pass filtering & LowPass \\ \hline - TC5: $R3\_open$ & +V2 follower & AMPIncorrectOutput\\ \hline + TC5: $R3\_open$ & +V2 follower & AMPIncorrectOutput\\ TC6: $R3\_short$ & Undefined & AMPIncorrectOutput \\ & (impedance of IC1 vs +V2) & \\ \hline TC5: $R4\_open$ & High or Low output & AMPIncorrectOutput \\ & +V2$>$+V1 $\mapsto$ High & \\ - & +V1$>$+V2 $\mapsto$ Low & \\ \hline + & +V1$>$+V2 $\mapsto$ Low & \\ TC6: $R4\_short$ & +V2 follower & AMPIncorrectOutput \\ \hline %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline \hline @@ -1105,11 +1129,11 @@ Here it is more intuitive to model the resistors not as a potential divider, but \end{table} Collecting the symptoms we can see that this amplifier fails -in 4 ways $\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$. -We can now create a derived component, $SEC\_AMP$, to represent it. - - -$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} $$ +in 4 ways %$\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$. +%We can now +we create a derived component, $SEC\_AMP$, to represent it +with failure modes described by: +$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$ @@ -1117,7 +1141,7 @@ $$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} $$ %the derived component for $NI\_AMP$ \pagebreak[4] -\subsection{Modelling the circuit} +\subsection{Finishing stage of the $DiffAmp$ Analysis} For the final stage of this we can create a functional group consisting of two derived components of the type $NI\_AMP$ and $SEC\_AMP$. @@ -1137,14 +1161,14 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$. % R & wire & res + & res - & description \hline \hline - TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & DiffAMPLow \\ - TC2: $NI\_AMP$ AMPLow & opamp 2 driven low & DiffAMPHigh \\ - TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & DiffAMP\_LP \\ \hline - TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & DiffAMPHigh\\ - TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & DiffAMPLow \\ - TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & DiffAMP\_LP \\ \hline - TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & DiffAMPIncorrect \\ - TC7: $SEC\_AMP$ & $ \neg (V2 - V1) $ & \\ \hline + TC1: $NI\_AMP$ AMPHigh & IC2 output driven high & DiffAMPLow \\ + TC2: $NI\_AMP$ AMPLow & IC2 output driven low & DiffAMPHigh \\ + TC3: $NI\_AMP$ LowPass & IC2 output with lag & DiffAMP\_LP \\ \hline + TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & DiffAMPHigh\\ + TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & DiffAMPLow \\ + TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & DiffAMP\_LP \\ + TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & DiffAMPIncorrect \\ + & $ \neg (V2 - V1) $ & \\ \hline \hline \end{tabular} \label{ampfmea} @@ -1152,10 +1176,8 @@ two derived components of the type $NI\_AMP$ and $SEC\_AMP$. -Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. - - -We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}. +Collecting symptoms we determine the failure modes for this circuit, %$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$. +and create a derived component to represent the circuit in figure~\ref{fig:circuit1}. $$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$ @@ -1167,7 +1189,7 @@ Using this we can trace any top level fault back to a component failure mode that could have caused it\footnote{ In fact we can re-construct an FTA diagram from the information in this graph. We merely have to choose a top level event and work down using $XOR$ gates.}. - +% This circuit performs poorly from a safety point of view. Its failure modes could be indistinguishable from valid readings (especially when it becomes a V2 follower). @@ -1181,14 +1203,14 @@ when it becomes a V2 follower). \end{figure} The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit--- -in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508 +in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508~\cite{en61508} terminology is called an undetectable fault. % -Were this failure to have safety implications this FMMD analysis will have revealed +Were this failure to have safety implications, this FMMD analysis will have revealed the un-observability and would likely prompt re-design of this circuit\footnote{A typical way to solve an un-observability such as this is -to periodically switch in test signals in place of the input signal.} -. +to periodically switch in test signals in place of the input signal.}. + \clearpage \section{Five Pole Low Pass Filer, using two Sallen~Key stages.} @@ -1210,8 +1232,9 @@ Starting at the input, we have a first order low pass filter buffered by an op-a the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter. The output of this is passed into another Sallen~Key filter -- which although it may have different values for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective. -Thus we can analyse the first Sallen~Key low pass filter and re-use the results for the second stage -avoiding the repeat work that would be performed using traditional FMEA. +Thus we can analyse the first Sallen~Key low pass filter and re-use it +for the second stage +(avoiding the repeat work that would have had to be performed using traditional FMEA). \begin{figure}[h] @@ -1229,15 +1252,17 @@ We begin with the first order low pass filter formed by $R10$ and $C10$. % This configuration (or {\fg}) is very commonly used in electronics to remove unwanted high frequencies/interference -from a signal; Here it is being used as a first stage of +from a signal; here it is being used as a first stage of a more sophisticated low pass filter. % R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being that the impedance of the capacitor is lower for higher frequencies. +% Thus higher frequencies are attenuated at the point that we read its output signal. +% However, from a failure mode perspective we can analyse it in a very similar way -to a potential divider (see section~\ref{potdivfmmd}). +to a potential divider (see section~\ref{subsec:potdiv}). Capacitors generally fail OPEN but some types fail OPEN and SHORT. We will consider the worst case two failure mode model for this analysis. We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\ @@ -1266,7 +1291,7 @@ We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\ \end{table} -We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component +We collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$ \paragraph{Addition of Buffer Amplifier: First stage.} @@ -1327,7 +1352,7 @@ on the schematic as in figure~\ref{fig:circuit2002_LP1}. \paragraph{Second order Sallen Key Low Pass Filter.} The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3. From a failure mode perspective these are identical. -We can analyse the first one and then re-use these results for the second. +We can analyse the first one and then re-use these results for the second (see figure~\ref{fig:circuit2002_FIVEPOLE}). \begin{table}[ht] \caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table @@ -1357,7 +1382,6 @@ We can analyse the first one and then re-use these results for the second. TC11: C2 OPEN & reduced/incorrect low pass filtering & SKLPfilterIncorrect \\ TC12: C2 SHORT & No input signal, low signal & SKLPnosignal \\ \hline - \hline \hline \end{tabular} \label{tbl:sallenkeylp} @@ -1385,13 +1409,13 @@ and this follows the signal flow in the filter circuit (see figure~\ref{fig:bloc As the signal has to pass though each block/stage in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg} in order to get a failure mode model for the whole circuit. -We can index the Sallen Key stages, and these are marked on the ciruit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}. +We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}. \begin{figure}[h]+ \centering \includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png} % circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331 - \caption{Functional Groups in Five Pole Low Pass Filter on schematic} + \caption{Functional Groups in Five Pole Low Pass Filter: shown as an Euler diagram super-imposed onto the electrical schematic.} \label{fig:circuit2002_FIVEPOLE} \end{figure} @@ -1401,11 +1425,18 @@ So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_ We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}. -\begin{figure}[h]+ +% HTR 20OCT2012 \begin{figure}[h]+ +% HTR 20OCT2012 \centering +% HTR 20OCT2012 \includegraphics[width=300pt]{CH5_Examples/circuit2h.png} +% HTR 20OCT2012 % circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603 +% HTR 20OCT2012 \caption{FMMD Hierarchy for five pole Low Pass Filter} +% HTR 20OCT2012 \label{fig:circuit2h} +% HTR 20OCT2012\end{figure} +\begin{figure}[h] \centering - \includegraphics[width=300pt]{CH5_Examples/circuit2h.png} - % circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603 - \caption{FMMD Hierarchy for five pole Low Pass Filter} + \includegraphics[width=400pt]{./CH5_Examples/eulerfivepole.png} + % eulerfivepole.png: 883x343 pixel, 72dpi, 31.15x12.10 cm, bb=0 0 883 343 + \caption{Euler diagram showing {\fg}/{\dc} relationships for the analysis of the Five Pole Sallen Key filter.} \label{fig:circuit2h} \end{figure} @@ -1547,10 +1578,10 @@ Our functional group for the phase shifter consists of a resistor and a capacito \textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\ \hline - FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline - % 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline + FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\ + % 90 degree's of phase shift & & $90\_phaseshift$ FS2: R OPEN & No Signal & $nosignal$ \\ \hline - FS3: C SHORT & Grounded,No Signal & $nosignal$ \\ \hline + FS3: C SHORT & Grounded,No Signal & $nosignal$ \\ FS4: C OPEN & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline \hline @@ -1591,7 +1622,8 @@ Initially we use the first identified {\fgs} to create our model without further Our functional group for this analysis can be expressed thus: % -$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$ +%$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$ +$$ G = \{ PHS45, NIBUFF, PHS45, NIBUFF, PHS45, NIBUFF PHS45, INVAMP \} ,$$ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. % HTR 23SEP2012 \begin{figure}[h+] % HTR 23SEP2012 \centering @@ -1624,7 +1656,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ - FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS3: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ @@ -1643,7 +1675,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. FS12: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline FS13: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ - FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS15: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ @@ -1652,7 +1684,7 @@ or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}. FS18: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline FS19: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ - FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ + FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS21: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\ @@ -1720,20 +1752,36 @@ We should be able to determine smaller {\fgs} and refine the model further. \label{fig:bubbaeuler2} \end{figure} +\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator} % -We take the pre-analysed $NIBUFF$ and $PHS45$ -{\dcs} into a {\fg} giving the {\dc} $BUFF45$. - $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter. -and with those three, form a $PHS135BUFFERED$ -functional group. -$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter. +We use the pre-analysed $NIBUFF$ and $PHS45$ +{\dcs} to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the +{\dc} $BUFF45$. % -A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.}, +Thus, $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter. +% +From the block circuit diagram (figure~\ref{fig:circuit3}), we see that there are three +$45^{\circ}$ phase shifter circuits in series. Together these apply a $135^{\circ}$ phase shift to the signal. +% +We use this property to model a higher level {\dc}, that of a 135 degree phase shifter. +% +The three $BUFF45$ {\dcs} form a +functional group which is analysed in table~\ref{tbl:phs135buffered}. +The result of this analysis is the {\dc} +$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter. +% + + +\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator} + +A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.}, form a {\fg} -providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$. +providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp} +resulting in the {\dc} $PHS225AMP$. % %---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$--- -Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba}) +Finally we form a final {\fg} with $PHS135BUFFERED$ and $PHS225AMP$, +%in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba}) % %We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45) %we can combine three $BUFF45$'s to make @@ -1758,7 +1806,7 @@ Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see fig \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\ - FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline %FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline FS3: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\ @@ -1794,15 +1842,15 @@ We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}. \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ - FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline %FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline FS3: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ - FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline FS5: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ - FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline @@ -1838,7 +1886,7 @@ $INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$. \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $180\_phaseshift$ \\ - FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ + FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $270\_phaseshift$ \\ \hline FS3: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\ @@ -1920,7 +1968,7 @@ to analyse in the future. %is higher, by an order of $O(N^2)$. Smaller functional groups mean less by-hand checks are required. It also means a more finely grained model. This means that -there are more {\dcs} and this increases the possibility of re-use. +there are more {\dcs} and this increases the potential for re-use of pre-analysed {\dcs}. % HTR The more we can modularise, the more we decimate the $O(N^2)$ effect % HTR of complexity comparison. % @@ -1942,7 +1990,7 @@ there are more {\dcs} and this increases the possibility of re-use. The following example is used to demonstrate FMMD analysis of a mixed analogue and digital circuit (see figure~\ref{fig:sigmadelta}). \begin{figure}[h] \centering - \includegraphics[width=200pt]{./CH5_Examples/circuit4004.png} + \includegraphics[width=300pt]{./CH5_Examples/circuit4004.png} % circuit4004.png: 562x389 pixel, 72dpi, 19.83x13.72 cm, bb=0 0 562 389 \caption{Sigma Delta Analogue to Digital Converter} \label{fig:sigmadelta} @@ -1954,7 +2002,7 @@ The following example is used to demonstrate FMMD analysis of a mixed analogue a % \begin{figure}[h] \centering - \includegraphics[width=200pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png} + \includegraphics[width=300pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png} % sigma_delta_block.png: 828x367 pixel, 72dpi, 29.21x12.95 cm, bb=0 0 828 367 \caption{Electrical signal path Block diagram: \sd} % Analogue to Digital Converter } \label{fig:sigmadeltablock} @@ -1977,15 +2025,17 @@ The output of the integrator is converted to a digital level (by IC2) %which acts as a comparator, and fed to the D type flip flop. % -The output of the flip flop forms a bit pattern representing the value -of the input voltage. % -The output of the flip flop is also routed to the feedback. -It is level converted to an analogue signal +% +The output of the flip flop is routed to the digital output and to the feedback loop. +It must be level converted before being fed to the analogue feedback. +It is level converted to an analogue signal by IC3. (i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage) and fed into the summing integrator completing the negative feedback loop. % -In essence this implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730]. +In essence this implements an over-sampling one bit analogue to digital converter~\cite{ehb}[pp.729-730]. +The output of the flip flop forms a bit pattern representing the value +of the input voltage (i.e. the value of the sum of 1's and 0's is proportional to the voltage value at the input). \subsection{FMMD analysis of \sd } @@ -2000,7 +2050,7 @@ IC1,2 and 3 are all OpAmps and we have failure modes from section~\ref{sec:opamp % $$ fm(OPAMP) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} $$ % -We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], the CD4013B~\cite{cd4013Bds}, +We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], for example the CD4013B~\cite{cd4013Bds}, and obtain its failure modes, which we can express using the $fm$ function: %% $$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$ @@ -2019,7 +2069,7 @@ $$ fm ( CLOCK ) = \{ STOPPED \} $$ \subsection{Identifying initial {\fgs}} \subsubsection{Summing Junction Integrator (SUMJINT)} -We now need to choose {\fgs}. The most obvious way to find initial {\fgs} id +We now need to choose {\fgs}. The most obvious way to find initial {\fgs} is to follow the signal path. The signal path is circular, but we can start with the input voltage, which is applied via $R2$, we term this voltage $V_{in}$. % @@ -2253,8 +2303,8 @@ These are: \item SUMJINT --- A summing junction and integrator, \item HISB --- A High impedance buffer, \item DIGITALBUFF --- A one bit digital buffer, - \item DL2AL --- A digital to analog level converter. - \item DIGBUF --- A digital one bit buffer/memory + \item DL2AL --- A digital to analog level converter, + \item DIGBUF --- A digital one bit buffer/memory. \end{itemize} These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}. We now use these {\dcs} to create higher level {\fgs}. @@ -2297,7 +2347,7 @@ $$ FG = \{ HISB, SUMJINT \} $$ \begin{table}[h+] \caption{ $HISB , SUMJINT$ buffered integrating summing junction($BISJ$): Failure Mode Effects Analysis} % title of Table -\label{tbl:DS2AS} +\label{tbl:BISJ} \begin{tabular}{|| l | l | c | c | l ||} \hline % \textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ @@ -2363,13 +2413,12 @@ We analyse the buffered flip flop circuitry in table~\ref{tbl:digbuf}. \hline \hline - FS1: $DIGBUF$ $STOPPED$ & & output stuck & & $OUTPUT STUCK$ \\ - FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ - \\ \hline + FS1: $DIGBUF$ $STOPPED$ & & output stuck & & $OUTPUT STUCK$ \\ + FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline %\hline - FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\ - FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ \hline - FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ + FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\ + FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ + FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ \hline \hline @@ -2581,14 +2630,15 @@ and the subsequent hierarchy. With software already written, that hierarchy is f Software written for safety critical systems is usually constrained to be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}. -Because of this we can assume a direct call tree. Functions call functions +Because of this we can assume direct call trees~\footnote{A typical embedded system +will have a run time call tree, and interrupt driven call tress}. Functions call functions from the top down and eventually call the lowest level library or IO functions that interact with hardware/electronics. What is potentially difficult with a software function, is deciding what its failure modes and symptoms are. With electronic components, we can use literature to point us to suitable sets of -{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}.%~\cite{en61508}~\cite{en298}. +{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}. %~\cite{en61508}~\cite{en298}. With software, only some library functions are well known and rigorously documented enough to have the equivalent of known failure modes. Most software is `bespoke'. We need a different strategy to @@ -2648,7 +2698,8 @@ Should the driving electronics go wrong at the source end, it will usually supply far too little or far too much current, also making error conditions easy to detect. % At the receiving end, we only require one simple component to convert the -current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor! +current signal into a voltage that we can read with an AD---a resistor---given +its properties defined by Ohms law. % the humble resistor! %BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP @@ -3094,14 +3145,22 @@ $$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$$ We can now represent the software/hardware FMMD analysis -as a hierarchical diagram, see figure~\ref{fig:hd}. +as a hierarchical diagram, see figure~\ref{fig:eulerswhw}. % see figure~\ref{fig:hd}. + +% HTR 27OCT2012 % \begin{figure}[h] +% HTR 27OCT2012 % \centering +% HTR 27OCT2012 % \includegraphics[width=200pt]{./CH5_Examples/hd.png} +% HTR 27OCT2012 % % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520 +% HTR 27OCT2012 % \caption{FMMD hierarchy with hardware and software elements} +% HTR 27OCT2012 % \label{fig:hd} +% HTR 27OCT2012 % \end{figure} \begin{figure}[h] \centering - \includegraphics[width=200pt]{./CH5_Examples/hd.png} - % hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520 - \caption{FMMD hierarchy with hardware and software elements} - \label{fig:hd} + \includegraphics[width=300pt]{./CH5_Examples/eulerswhw.png} + % eulerswhw.png: 510x344 pixel, 72dpi, 17.99x12.14 cm, bb=0 0 510 344 + \caption{Euler diagram showing relationship between {\dcs} determined from electronics and software.} + \label{fig:eulerswhw} \end{figure} diff --git a/submission_thesis/CH5_Examples/eulerfivepole.dia b/submission_thesis/CH5_Examples/eulerfivepole.dia new file mode 100644 index 0000000..3e48591 Binary files /dev/null and b/submission_thesis/CH5_Examples/eulerfivepole.dia differ diff --git a/submission_thesis/CH5_Examples/eulerswhw.dia b/submission_thesis/CH5_Examples/eulerswhw.dia new file mode 100644 index 0000000..6a9f771 Binary files /dev/null and b/submission_thesis/CH5_Examples/eulerswhw.dia differ diff --git a/submission_thesis/thesis.tex b/submission_thesis/thesis.tex index 4233778..094bec6 100644 --- a/submission_thesis/thesis.tex +++ b/submission_thesis/thesis.tex @@ -82,7 +82,7 @@ \chapter{Failure Mode Modular Decomposition} \input{CH4_FMMD/copy} -\chapter{Examples of FMMD applied to electronic circuits} +\chapter{FMMD Examples} % {Examples of FMMD applied to electronic circuits} \input{CH5_Examples/copy} \chapter {FMMD Metrics Critiques Exceptions and Evaluation}