robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Last of pencil notes on hard copy

Browse Source
This commit is contained in:
Robin Clark 2012-01-07 11:03:51 +00:00
parent eab783bdb2
commit e5d640f217
1 changed files with 27 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
opamp_circuits_C_GARRETT/opamps.tex
View File

@ -1212,7 +1212,7 @@ against all the components in the system.
We could term this `rigorous~FMEA'~(RFMEA).
The number of checks we have to make to achieve this gives an indication of the complexity of the task.
%
We could term this comkparison~complexity, as it is the number of
We could term this `comparison~complexity', as it is the number of
paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group.
@ -1223,12 +1223,12 @@ of checks to make than for a complicated larger system.
%
We can consider the system as a large {\fg} of components.
We represent the number of components in the {\fg} $G$, by
$ | G | .$
An indexing and sub-scripting notation to identify particular {\fgs}
within an FMMD hierarchy is given in section~\ref{sec:indexsub}.
$ | G | $
(an indexing and sub-scripting notation to identify particular {\fgs}
within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}).
We can represent the number of failure modes in a component $c$, to be $ | fm(c) | .$
We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$
If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express
the number of checks required to rigorously examine every
@ -1343,10 +1343,11 @@ rigorous checking feasible.
Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components it is difficult to
use the general formula for comparing the number of checks to make for
RFMEA and FMMMD.
RFMEA and FMMD.
If we were to create an example by fixing the number of components in a {\fg}
and the number of failure modes per component, we can derive formulae
to represent the number of checks to make.
to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to
all components in a system.
Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$),
$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and
@ -1377,7 +1378,7 @@ Thus the number of checks to make in the top level is $3^0.3.2.3=18$.
On the level below that, we have three {\fgs} each with a
an identical number of checks, $3^1.3.2.3=56$.%{\fg}
On the level below that we have nine {\fgs}, $3^2.3.2.3=168$.
Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA \textbf{within the}
Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}}
{\fgs}).
If we were to take the system represented in figure~\ref{fig:three_tree}, and
@ -1444,18 +1445,24 @@ $$
The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low.
However, some critical systems have to consider these type of eventualities.
The burner control industry has to consider these, and these are written into the
the gas burner standard EN298~\cite{en298}. EN298 does not specifically state that
The burner control industry has to consider double failures, as specified in European Norm
EN298~\cite{en298}. EN298 does not specifically state that
double simultaneous failures must be considered. What it does say is that
in the event of a lockout -- a condition where an error has been detected and
the equipment moves to a safe non-functioning state -- no secondary failure may cause a dangerous condition.
in the event of a lockout---a condition where an error has been detected and
the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition.
%
This is slightly vague: there are so many possible component failures that could
cause a secondary failure, that it is very difficult not to interpret this
as meaning we have to cater for double simultaneous failures for the most critical sections
of a system. In practise -- in the field of EN298: burner controllers -- this means triple safeguards to ensure the fuel
of a burner control system.
%
In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel
is not allowed to flow under an error condition. This would of course leave the possibility of
other more complex double failures tricking the controller into thinking the
combustion was actually safe when it was not.
combustion was actually safe when it was not.
%
It would be impractical to
perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller.
It has been shown that, for all but trivial small systems, double failure mode checking
is impossible from a practical perspective.
@ -1501,7 +1508,12 @@ checking to all {\fgs} higher up in the hierarchy.
This guarantees to check the symptoms caused by the
failure modes in the other {\fgs} with the symptoms
derived from the other {\fgs} modelling for double failures.
This guarantees
%
By traversing down the tree we can automatically determine which
double simultaneous combinations have not been resolved.
%
By applying double simultaneous checking until no single failures
canlead to a top level event, we
double failure move coverage.
To extend the example in figure~\ref{fig:dubsim1} we can map the failure