robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

all day marathon edit...

Browse Source 
tack till mycket viktig  personer
for endag av arbete....
message for your changes. Lines starting
This commit is contained in:
Robin Clark 2013-06-15 19:09:08 +01:00
parent 9da2299e7f
commit e544e5bd33
8 changed files with 165 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
mybib.bib
View File

@ -1107,6 +1107,26 @@ OPTissn = {},
}
@Manual{pic18f25k80erratta,
title = {Datasheet Erratta: PIC18F66K80 Family Silicon Errata and Data Sheet Clarification DS805119D},
OPTkey = {},
author = {Microchip inc},
OPTorganization = {},
address = {http://ww1.microchip.com/downloads/en/DeviceDoc/80519d.pdf},
OPTedition = {},
OPTmonth = {},
year = {2011},
OPTnote = {},
OPTannote = {},
OPTurl = {},
OPTdoi = {},
OPTissn = {},
OPTlocalfile = {},
OPTabstract = {},
}
@Manual{pic18f2523,
title = {PIC18F2523 Datasheet},
OPTkey = {},

11
submission_thesis/CH1_introduction/copy.tex
View File

@ -110,14 +110,15 @@ failure mode analysis.
\paragraph{European Safety Requirements increase in scope and complexity.}
At work---which consisted of designing, testing, building and writing embedded `C' and assembly language code for safety critical
industrial burners---we were faced with a new and daunting requirement.
Conformance to the latest European standard, EN298.
Conformance to the latest European standard, EN298~\cite{en298}.
%
It appeared to ask for the impossible:
not only did it require the usual safety measures (self checking of ROM and RAM, watchdog processors with separate clock sources, EMC and the
triple fail safe control of valves), it had one new clause in it that had far reaching consequences.
%
It stated that in the event of a failure, where the controller had gone into a `lockout~state'--- a state where the controller
applies all possible safety measures to stop fuel entering the burner---it could not become dangerous should another fault occur.
applies all possible safety measures to stop fuel entering the burner---it was not permitted to % could not
become dangerous should another fault occur.
%
In short this meant we had to be able to deal with double failures.
%
@ -175,9 +176,13 @@ failures would be analysed, but because failure modes are traceable from the bas
these relationships can be held in a traversable data structure.
%
If held in a traversable data structure we can apply automated methods to search for all the combinations of multiple failure modes
within the model that have been analysed. Because of this, it may not be necessary to apply double checking
within the model that have been analysed. Because of this, it will not always %it may not
be necessary to apply double checking
at all higher levels in the analysis hierarchy, to achieve complete double failure coverage.
%
The point at which it is possible to relax double failure checking can be verified automatically by traversing the
the failure mode model.
%
\subsection{Initial direction: Application of Spider diagrams to FMEA.}
Because, Euler/Spider Diagrams~\cite{howse:spider}

45
submission_thesis/CH2_FMEA/copy.tex
View File

@ -21,7 +21,7 @@ how we determine the failure modes associated with components.
Two common electrical components, the resistor and the operational amplifier
are examined in the context of two sources of information that define failure modes.
%
A simple example of an FMEA is given, using a hypothetical {\ft} milli-amp reader.
To introduce the concept of FMEA, a simple example is given, using a hypothetical {\ft} milli-amp reader.
%
The four main current FMEA variants are described and we develop %conclude by describing concepts
the concepts
@ -52,7 +52,7 @@ for a large proportion of safety critical products sold in the European Union.
The acronym FMEA can be expanded as follows:
\begin{itemize}
\item \textbf{F - Failures of given component,} Consider a particular component in a system;
\item \textbf{M - Failure Mode,} Choose a component `failure~mode';
\item \textbf{M - Failure Mode,} Choose a particular failure mode of this component; % `failure~mode';
\item \textbf{E - Effects,} Determine the effects this failure mode will cause to the system we are examining;
\item \textbf{A - Analysis,} Analyse how much impact this symptom will have on the environment/operators/the system itself.
\end{itemize}
@ -80,6 +80,9 @@ This could be considered a low pass filter in some electrical environments~\cite
but for fixed frequencies the same circuit could be used as a phase changer~\cite{electronicssysapproach}[p.114].
The failure modes of the latter, could be `no~signal' and `all~pass',
but when used as a phase changer, would be `no~signal' and `no~phase' change.
%
The actual failure modes of a group of components, are therefore defined by the
function that they perform.
%
% This chapter describes basic concepts of FMEA, uses a simple example to
% demonstrate a single FMEA analysis stage, describes the four main variants of FMEA in use today
@ -266,7 +269,7 @@ modes do not include drift.
%
If we can ensure that our resistors will not be exposed to overload conditions, the
probability of drift (sometimes called parameter change) occurring
is significantly reduced, enough for some standards to exclude it~\cite{en298}~\cite{en230}.
is significantly reduced, enough for some standards to exclude it~\cite{en298,en230}.
\paragraph{Resistor failure modes according to EN298.}
@ -371,7 +374,9 @@ For Op-Amp failures modes, FMD-91\cite{fmd91}{3-116] states,
Again these are mostly internal causes of failure, more of interest to the component manufacturer
than a test engineer % designer
looking for the symptoms of failure.
%
We need to translate these failure causes within the Op-Amp into {\fms}.
%
We can look at each failure cause in turn, and map it to potential {\fms} suitable for use in FMEA
investigations.
@ -417,7 +422,8 @@ This demands that all open connections, and shorts between adjacent pins be cons
We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358} %\mu741$
and determine its {\fms} in table ~\ref{tbl:lm358}.
Collecting the op-amp failure modes from table ~\ref{tbl:lm358} we obtain the same {\fms}
that we got from FMD-91, listed in equation~\ref{eqn:opampfms}.
that we got from FMD-91, listed in equation~\ref{eqn:opampfms}, except for
$LOW_{slew}$.
@ -506,7 +512,9 @@ $$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
\subsection{Comparing the component failure mode sources}
The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures,
and that is why is misses the $LOW_{slew}$.
%
The FMD-91 entries for op-amps are not directly usable as
component {\fms} in FMEA or FMMD and require interpretation.
%
@ -644,7 +652,9 @@ We have not looked in detail at any side effects of this {\fm}.
To put this in more general terms, have not examined this failure mode
against every other component in the system.
Perhaps we should: this would be a more rigorous and complete
approach in looking for system failures.
approach in looking for system failures. We could term FMEA where
each failure mode is compared against all other components
as exhaustive FMEA (XFMEA).
\section{Theoretical Concepts in FMEA}
@ -670,7 +680,8 @@ Most electronic systems are used to process a signal: with signal processing
there is usually a clear path from the signal coming into the system, it being processed in some way, and a resultant effect on
an output or control signal. % afferent to transform to efferent path.
%
That is, there is an input, some processing and an output.
That is, there is an input, some processing and an output. In electronics we might term this a sensor, processing and actuator
model. In software we would term this afferent, transform and efferent data flow.
%
For the purpose of FMEA, we define the signal path as the components used to process the signal.
%
@ -733,7 +744,7 @@ In practise, a compromise is made between the amount of time/money that can be
on analysis relative to the criticality of the project.
Metrics from measuring the amount of work to undertake for FMEA are examined in section~\ref{sec:xfmea}.
\paragraph{Failure Modes and the signal path}
\paragraph{Failure Modes and the signal path.}
In general a component failure mode in an electronic circuit will
change the circuit topology. For a single failure
@ -816,7 +827,7 @@ Subjective appraisal of the outcome of a system failure mode can also
be subject to management and/or political pressure.
%
The two most recent variants of FMEA,
FMEDA and FMECA have dipped a metaphorical toe into the subjective realm, FMECA with itself `criticality~factor' and
FMEDA and FMECA have dipped a metaphorical toe into the subjective realm, FMECA with its `criticality~factor' and
FMEDA with its definition of `dangerous'.
%
However, while starting to address the subjective side
@ -839,7 +850,7 @@ Detailed work on subjective analysis is beyond the scope of this study.
FMEA is less useful for determining events for multiple
simultaneous
failures\footnote{Multiple simultaneous failures are taken to mean failures that occur within the same detection period.
Detection periods are typically determined for the process under control. For a flame in an industrial burner this
Detection periods are typically determined for the process under control. For instance, for a flame detector in an industrial burner this
could typically be one second.~\cite{en298}}.
%
Work has been performed using component failure statistics to
@ -1124,7 +1135,7 @@ billion ($10^9$) hours of operation~\cite{mil1991}.
\textbf{FMECA $\alpha$ value.}
The failure mode probability, usually denoted by $\alpha$ is the probability of
a particular failure~mode occurring within a component. reference FMD-91.
a particular failure~mode occurring within a component~\cite{fmd91}.
%, should it fail.
%A component with N failure modes will thus have
%have an $\alpha$ value associated with each of those modes.
@ -1200,12 +1211,12 @@ It allows diagnostic mitigation for self checking circuitry.
%
FMEDA requires %does force
the analyst to consider all hardware components in a system
by requiring that a MTTF value is assigned for each base component failure~mode;
by requiring that an MTTF value is assigned for each base component failure~mode;
the MTTF may be statistically mitigated (improved)
if it can be shown that self-checking will detect failure modes.
The MTTF value for each component {\fm} is denoted as $\lambda$'.
The MTTF value for each component {\fm} is denoted using the symbol `$\lambda$'.
%
EN61508 in relation to software provides procedural quality guidelines and constraints (such as forbidding certain
EN61508 regulation in relation to software provides procedural quality guidelines and constraints (such as forbidding certain
programming languages and/or features): it does not provide a means to trace failure mode effects in software
or across the software/hardware interface.
@ -1286,6 +1297,7 @@ by statistically determining how frequently it can fail dangerously.
%\subsection{ FMEDA - Failure Modes Effects and Diagnostic Analysis}
\begin{table}[ht]
\centering
\caption{FMEA Calculations} % title of Table
%\centering % used for centering table
\begin{tabular}{|| l | l | c | c | l ||} \hline
@ -1398,11 +1410,12 @@ However, as with the components that we should check against a {\fm}, there are
the reasoning stages for an FMEA entry.
%FMEA does not stipulat which
Ideally each FMEA entry would contain a reasoning description
for each component the {\fm} is checked against, so that the entry can be reviewed or revisited/audited.
for each component the {\fm} is checked against,
so that the entry can be more easily reviewed or revisited/audited than a traditional FMEA report.
%
Because FMEA is traditionally performed with one entry per component {\fm}, full reasoning descriptions
are rare.
This means that re-use, review and checking of traditional analysis must be started from `cold'.
This means that re-use, review and checking of traditional analysis must often be started from `cold'.
% MOVED TO CH3: 15MAR2013
%

17
submission_thesis/CH3_FMEA_criticism/copy.tex
View File

@ -15,7 +15,7 @@ engineers have to discuss a system at a level of detail starting
at {\bc} {\fms}.
%
This undoubtedly reveals dangers inherent in designs and makes
our lives safer. This chapter aims to look for the deficiencies in the FMEA process, to probe for weaknesses
our lives safer. This chapter aims to look for the deficiencies in current FMEA processes, to probe for weaknesses
and look for ways in which it could be done better and more efficiently.
A major problem is with the scope of examination---or required reasoning distance---to apply
@ -31,6 +31,12 @@ cheap micro-controllers and processors mean that most of todays systems are
now software/hardware hybrids.
%
Even analogue electronics, with the advent of surface mount and miniature components,
means that a modern electronic circuits are typically far more complex and have
far higher component counts, than those
of the era when FMEA methodologies were invented.
%
With FMEA it is very difficult to perform %impossibility of performing
meaningful
multiple failure analysis.
@ -150,6 +156,7 @@ We could term such a group a `{\fg}'. Potentially here we have a way of de-compo
the problem and reducing the $O(N^2)$ state explosion effect
associated with XFMEA. An order $N^2$ could be seen as desirable in an automated process such as a search algorithm, but here
its is a time consuming manual process which demands experienced and highly qualified personnel.
It is therefore desirable to reduce this order further.
@ -248,7 +255,7 @@ functionally tested~\cite{bishopsmartinstruments}.
\subsection{Distributed real time systems}
\label{sec:distributed}
Distributed real time systems are control systems where
smart sensors communicate over a communications bus to
smart sensors/actuators communicate over a communications bus to
a master controller.
%
Most modern cars follow this information technology pattern and use CANbus~\cite{canspec,can}.
@ -409,8 +416,8 @@ getting to complicated for meaningful analysis using FMEA.
%
\subsection{FMEA Criticism: Conclusions.}
FMEA useful tool for basic safety --- provides statistics on safety where field data impractical ---
very good with single failure modes linked to top level events.
FMEA is a useful tool for basic safety --- it provides statistics on safety where field data impractical ---
and is good with single failure modes linked to top level events.
FMEA has become part of the safety critical and safety certification industries.
%
SFMEA is in its infancy, and there are corresponding gaps in
@ -443,7 +450,7 @@ in an improved FMEA methodology,
\item Must be able to analyse hybrid software/hardware systems,
\item no state explosion (which has rendered exhaustive analysis impractical),
\item exhaustive checking at a modular level, %(total failure coverage within {\fgs} all interacting component and failure modes checked),
\item traceable reasoning system models,% to aid repeatability and checking,
\item traceable reasoning inherent in system failure models,% to aid repeatability and checking,
\item re-usable i.e. it should be possible to re-use analysis,
\item possibility to analyse simultaneous/multiple failures,
\item modular --- i.e. usable in a distributed system.

20
submission_thesis/CH4_FMMD/copy.tex
View File

@ -1173,7 +1173,7 @@ A component can be viewed as a sub-system that is a part of some larger system.
%
A modular system common to many homes is the sound separates audio system or stereo hi-fi.
%
This is used as an example to describe terms used in FMMD.
This is used as an example to describe the concepts {\fg} and {\dc} found in FMMD.
%
For instance a stereo amplifier separate/slave is a component.
%The
@ -1296,10 +1296,17 @@ to fail in two ways, it can go open circuit or it can short.
Electrical components have data-sheets associated with them. The data sheets
supply detailed information on the component as supplied by the manufacturer.
%
Because they are design related they rarely show %clearly detail the
failure modes of the component, with environmental factors and MTTF~\cite{sccs}[p.165] statistics.
Given the growing usage of FMEA/FMEDA in industry this may change.
Because they are written for system designers, and to an extent advertise the product,
they rarely give %show %clearly detail the
failure modes of the component.
%
For FMEA purposes, ideally failure modes along with
with environmental factors and MTTF~\cite{sccs}[p.165] statistics would be presented.
%
Given the growing usage of FMEA/FMEDA and the emergence of SIL as a safety benchmark in industry, this may change.
%
Currently, failure mode information is generally only available for generic component types~\cite{mil1991, fmd91}.
%
Thus we can associate a set of failure modes to types of component,
for example $ResistorFaultModes=\{OPEN, SHORT\}$\footnote{The failure modes of the resistor
are discussed in section~\ref{sec:resistorfm}.}.
@ -1516,7 +1523,7 @@ The UML representation (in figure \ref{fig:cfg}) shows a `{\fg}' having a one t
%% Here we need how this meta model translates into the FMMD Hierarchy
\subsection{How the UML Meta Model maps to an FMMD Hierarchy}
\label{sec:fmmd_uml}
The UML meta model above (see figure~\ref{fig:cfg}) describes a hierarchical structure. %% Might be a UML pattern that is well known ..... 05MAY2012
This is because, as {\dcs} inherit the properties of
components, {\dcs} may be used to form {\fgs}.
@ -1584,7 +1591,8 @@ between the entities used in FMMD.
% derived components yet higher up in the structure.
% %
To keep track of the level in the hierarchy (i.e. how many stages of component
derivation `$\derivec$' have led to the current derived component)
derivation %`$\derivec$'
have led to the current derived component)
we can add an attribute to the component data type.
This can be a natural number called the level variable $\abslev \in \mathbb{N}$.
% J. Howse says zero is a given in comp sci. This can be a natural number called the level variable $\alpha \in \mathbb{N}_0$.

44
submission_thesis/CH5_Examples/copy.tex
View File

@ -21,7 +21,9 @@
\label{sec:chap5}
This chapter demonstrates FMMD applied to
a variety of typical embedded system components including analogue/digital and electronics/software hybrids.
a variety of typical electronic circuits including analogue and digital
%and electronics/software
hybrids.
%In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.%
%Each example has been chosen to demonstrate
%FMMD applied to
@ -900,12 +902,12 @@ when it becomes a V2 follower).
\end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508~\cite{en61508}
in fault finding terminology~\cite{garrett,maikowski} this {\fm} is said to be unobservable, and in EN61508~\cite{en61508}
terminology is an `undetectable~fault'.
%
Were this failure to have safety implications, this FMMD analysis will have revealed
this un-observability condition; this would likely prompt re-design of this
circuit. A typical way to solve an un-observability such as this is
this undetectable condition; this would likely prompt re-design of this
circuit. A typical way to solve an undetectable fault such as this is
to periodically switch in test signals in place of the input signal.
%\footnote{A typical way to solve an un-observability such as this is
%to periodically switch in test signals in place of the input signal.}.
@ -915,7 +917,8 @@ to periodically switch in test signals in place of the input signal.
This example shows a three stages hierarchy, and a graph tracing the base~component failure modes to the
top level event. It also re-visits the decisions about membership of {\fgs}, due to the context
of the circuit raised in section~\ref{subsec:invamp2}.
%
This FMMD analysis also revealed an undetectable failure mode, $DiffAMPIncorrect$.
%16MAR2013 COULD Put an euler diagram here
@ -1405,13 +1408,14 @@ We should be able to determine smaller {\fgs} and refine the model further.
\label{fig:bubbaeuler2}
\end{figure}
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator}
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator.}
%
We use the pre-analysed $NIBUFF$ and $PHS45$
{\dcs} to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$.
%
Thus, $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
%Thus,
$BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
%
From the block circuit diagram (figure~\ref{fig:circuit3}), we see that there are three
$45^{\circ}$ phase shifter circuits in series. Together these apply a $135^{\circ}$ phase shift to the signal.
@ -1425,7 +1429,7 @@ $PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shift
%
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator}
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator.}
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg}
@ -1516,10 +1520,15 @@ be re-used in other projects.
%is higher, by an order of $O(N^2)$.
Smaller {\fgs} signify less by-hand checks and
a more finely grained model.
%
This means that
there would be more {\dcs} and therefore increases the potential for re-use of pre-analysed {\dcs}.
A finer grained model---with potentially more hierarchy stages---conveys that more
work, or reasoning has been used in the analysis.
there will %would
be more {\dcs} and this %therefore
increases the potential for re-use of pre-analysed {\dcs}.
%
A finer grained model---with potentially more hierarchy stages---conveys that
%more work, or
more reasoning stages have been used in the analysis.
% HTR The more we can modularise, the more we decimate the $O(N^2)$ effect
% HTR of complexity comparison.
%
@ -1534,7 +1543,7 @@ A finer grained approach produces more potentially re-usable {\dcs} and
involves several stages with lower reasoning distances.
The lower reasoning distances, or complexity comparision figures are given in the metrics chapter~\ref{sec:chap7}
at section~\ref{sec:bubbaCC}.
This show that the finer grained models also benefit from lower reasoning distances for the failure mode model.
\clearpage
@ -1606,7 +1615,7 @@ of the input voltage (i.e. the value of the sum of 1's and 0's is proportional t
%
%$$\{ IC1, IC2, IC3, IC4, R1, R2, R3, R4, C1 \} $$.
%
The parts for the \sd are a mixture of analogue (resistors, capacitors, OpAmps) and digital
The parts for the {\sd} are a mixture of analogue (resistors, capacitors, OpAmps) and digital
(D type flip flop, and a digital clock). We examine the failure modes of all components in this circuit below.
%
IC1,IC2 and IC3 are all OpAmps and we have failure modes for this component type
@ -1643,7 +1652,7 @@ The feedback voltage for the ADC is supplied via $R1$, we term this voltage as $
%The input voltage is supplied via $R2$ and we term this voltage as $V_{in}$.
$R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided
by the capacitor C1 and the opamp IC1.
This can be our first {\fg} and we analyse it in table~\ref{tbl:sumjint}.
This can be our first {\fg} and we analyse it in table~\ref{detail:SUMJINT}%{tbl:sumjint}.
%For the symptoms, we have to think in terms of the effect
%on its performance as a summing junction and not be
%distracted by the integrator formed by $C_1$ and $IC1$.
@ -1810,7 +1819,7 @@ value, and outputs it at analogue voltage levels for the summing junction.
$ FG = \{ DIGBUF, DL2AL \} $
We analyse the buffered flip flop circuitry
We analyse the buffered flip flop circuitry (see table~\ref{detail:FFB})
and create a {\dc} $FFB$,
where $$fm (FFB) = \{OUTPUT STUCK, LOW\_SLEW\}$$.
%\clearpage
@ -1936,7 +1945,7 @@ possibility of double faults. % (cardinality constrained powerset of 2).
\subsection{General Description of Pt100 four wire circuit}
\label{Pt100range}
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
@ -1964,7 +1973,7 @@ Note that the low reading goes down as temperature increases, and the higher rea
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables}
\paragraph{Accuracy despite variable resistance in cables.}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
@ -2072,6 +2081,7 @@ $R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
%
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.

95
submission_thesis/CH8_Conclusion/copy.tex
View File

@ -24,12 +24,12 @@ traditional FMEA.
In all cases there was a performance gain,
that is to say that for all but trivial cases,
the number of manual analysis operations to perform
was reduced.
was significantly reduced.
%
Not only this, but the analysis naturally provided modules which could be re-used,
re-used not only in the circuit under analysis but potentially in different and future projects as well.
Traditional FMEA methods have been applied to software, but analysis has always to be separate from
Traditional FMEA methods have been applied to software, but analysis has always been performed separately from
the electronic FMEA~\cite{sfmeaa,sfmea}. %, and while modular kept strictly to a bottom-up approach.
%
Using established concepts from contract programming~\cite{dbcbe} FMMD was extended to analyse software,
@ -94,25 +94,48 @@ These are explained below.
\section{Further Work}
%This section describes areas that the study has revealed where the FMMD methodology may be extended or improved.
\section{How traditional FMEA reports can be derived from an FMMD model.}
%
An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing this
we can map system level failures back to {\bc} {\fms} (or combinations thereof).
%
Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}).
%
With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures.
The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs}
taken from MIL1991 %~\cite{mil1991},
in section~\ref{sec:bcstats}.
%
With an FMMD failure mode model a top down perspective is possible.
We could for instance take each system level failure and produce a causation tree for it, tracing back
to all {\bc} {\fms}.
This is very closely related to the structure of FTA (top down) failure causation graphs.
The possibility of automatically producing FTA diagrams from FMMD models
is examined in section~\ref{sec:fta}.
\section{Statistics: From base component failure modes to System level events/failures.}
\label{sec:bcstats}
Knowing the statistical likelihood of a component failing can give a good indication
of the reliability of a system, or in the case of dangerous failures, the Safety Integrity Level
of a system.
%
EN61508~\cite{en61508} requires that statistical data is available and used for all component failure modes
analysed in a system assigned a SIL level.
analysed by FMEDA.
%
FMMD, as a bottom up methodology can use component failure mode statistical data, and incorporate it
into its hierarchical model.
By way of example, the Pt100 analysis %example
from section~\{sec:pt100} has been used to demonstrate this.
%By way of example, the Pt100 analysis %example
%from section~\{sec:pt100} has been used to demonstrate this.
Because we can use an FMMD model to generate an FMEA report, with additional {\bc} failure mode statistics
we can therefore used FMMD to produce an FMEDA report.
\subsection{Pt100 Example: Single Failures and statistical data}. %Mean Time to Failure}
Now that we have a model for the failure mode behaviour of the Pt100 circuit
we can look at the statistics associated with each of the failure modes.
From an earlier example, the model for the failure mode behaviour of the Pt100 circuit,
we can add {\bc} {\fm} statistics and determine the probability of symptoms of failure.
%
The DOD electronic reliability of components
document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating
the
@ -124,7 +147,7 @@ can give conservative reliability figures when applied to
modern components}.
%
Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor
failure statistics, we calculate the reliability of this circuit.
failure statistics, we calculate the reliability of the Pt100 example ( see section~\ref{sec:pt100}).
\paragraph{Resistor FIT Calculations}
@ -171,11 +194,14 @@ give the following failures in ${10}^6$ hours:
\end{equation}
While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
it does not specify how the components will fail (in this case OPEN or SHORT).
%
Some standards, notably EN298 only consider most types of resistor as failing in OPEN mode.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses.
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example
compromises and uses a 90:10 ratio, for resistor failure.
compromises and uses a 9:1 OPEN:SHORT ratio, for resistor failure.
%
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
@ -347,7 +373,7 @@ A typical data sheet for an electrical component will give
a working temperature range: %, for instance.
mechanical components could be specified for stress and loading limits.
It is unusual to have failure modes described in product literature, although
for complicated components with firmware errata documents are sometimes produced.
for complicated components with firmware, errata documents~\cite{pic18f25k80erratta} are sometimes produced.
Systems may have distinct operational states. For instance, a safety critical controller
may have a LOCKOUT state where it has detected a serious problem and will not continue to operate until
@ -355,7 +381,7 @@ authorised human intervention takes place.
A safety critical circuit may have a self test mode which could be operated externally:
a micro-processor may have a SLEEP mode etc.
%
Operational states and environmental conditions can %must
To make FMMD compatible with FTA perational states and environmental conditions should %can %must
be factored into the UML model.
%
We may encounter a condition where we would want to inhibit some action of the system.
@ -363,6 +389,9 @@ This is rather like a logical guard criterion. For instance in the gas burner st
states that a flame detector must confirm that a pilot flame has been established before the main burner fuel can be applied.
In FTA terms this would be an inhibit condition on the main fuel, i.e. PILOT\_NOT\_CONFIRMED.
We now look at the nature of these three attributes and decide how they should fit into the UML
model for FMMD developed in section~\ref{sec:fmmd_uml}.
\paragraph{Environmental Modelling.} The external influences/environment could typically be temperature ranges,
levels of electrical interference, high voltage contamination on supply
lines, radiation levels etc.
@ -380,7 +409,7 @@ Within the field of safety critical engineering, we often encounter
elements that include test or self-test facilities.
%
We also encounter degraded performance
(such as only performing functions in an emergency) and lockout/emergency conditions.
(such as only performing certain functions in an emergency) and lockout/emergency conditions.
These can be broadly termed operational states. %, and apply to the
%functional groups.
%
@ -448,18 +477,18 @@ its `bottom-up~work~flow' it
can reveal previously undetected system failure modes.
%
This is because the analyst
is forced to deal with all component failure modes by the FMMD process, and
all failure modes of {\dcs}.
is forced to deal with all component failure modes when applying the FMMD process, and
all failure modes of the resultant {\dcs} as we progress up a hierarchy.
%
FMMD requires that all failure modes of components in a {\fg} are resolved to
a symptom in the resulting {\dc}.
%
FMMD can find failure modes that are not
FMMD thus finds failure modes that are not
dealt with as a symptom, i.e. were ignored
or forgotten. This means that the FMMD process will expose un-handled
or forgotten, meaning that the FMMD process will expose un-handled
failure modes.
%come to light.
%
We can apply retrospective FMMD to electronic and software hybrid systems as well.
%
The electronic components {\fms} are established in the literature~\cite{fmd91,mil1991,en298,en230}.
@ -474,7 +503,7 @@ contract clauses will be treated as failure modes in FMMD).
% By treating hardware interfaces to software as {\dcs}, we automatically have a list of the failure modes
% of the electronics.
%%
With the contracts in place for the software, we can then integrate them into the FMMD model.
With the contracts in place for the software functions, we can then integrate them into the FMMD model.
%
FMMD models both software and hardware;
we can thus verify that all
@ -488,31 +517,15 @@ If not they are an un-handled error condition relating to the software hardware
% of the electronics.
%
By performing FMMD on a software electronic hybrid system,
we thus reveal design deficiencies in both the software and the software/electronics interface.
we thus reveal design deficiencies in both the software, the electronics and the software/electronics interface.
%in the hardware/software interface.
FMEDA does not handle software ---or---the software hardware interface.
%
FMEDA does not handle software ---or---the software hardware interface.
It thus potentially misses many undetected failures (in EN61508 terms undetected-dangerous and undetected safe failures).
In Safety Integrity Level (SIL)~\cite{en61508} terms, by identifying undetectable faults and fixing them, we raise
the safe failure fraction (SFF).
\section{How traditional FMEA reports can be derived from an FMMD model.}
%
An FMMD model has a data structure (described by UML diagrams, see figure~\ref{fig:cfg}), and by traversing this
we can map system level failures back to {\bc} {\fms} (or combinations thereof).
%
Because we can determine these mappings we can produce reports in the traditional FMEA format ({\bc}~{\fm}~$\mapsto$~{system failure}).
%
With the addition of {\bc} {\fm} statistics~\cite{mil1991} we can provide reliability predictions for system level failures.
The Pt100 example is revisited for this purpose and analysed for single and double failures, with statistics for {\bcs}
taken from MIL1991 %~\cite{mil1991},
in section~\ref{sec:bcstats}.
%
With an FMMD failure mode model a top down perspective is possible.
We could for instance take each system level failure and produce a causation tree for it, tracing back
to all {\bc} {\fms}.
This is very closely related to the structure of FTA (top down) failure causation graphs.
The possibility of automatically producing FTA diagrams from FMMD models
is examined in section~\ref{sec:fta}.
%
\section{Objective and Subjective Reasoning stages}

2
submission_thesis/appendixes/detailed_analysis.tex
View File

@ -7,7 +7,7 @@ in chapter 5 have been moved here for reference.
\subsection{PHS45 Detailed Analysis}
FMEA study of a resistor and capacitor configured as a phase changer.
FMEA study of a resistor and capacitor in use as a phase changer.
\label{detail:PHS45}
\center