diff --git a/opamp_circuits_C_GARRETT/opamps.tex b/opamp_circuits_C_GARRETT/opamps.tex index 8d613b8..b81fca3 100644 --- a/opamp_circuits_C_GARRETT/opamps.tex +++ b/opamp_circuits_C_GARRETT/opamps.tex @@ -1212,7 +1212,7 @@ against all the components in the system. We could term this `rigorous~FMEA'~(RFMEA). The number of checks we have to make to achieve this gives an indication of the complexity of the task. % -We could term this comkparison~complexity, as it is the number of +We could term this `comparison~complexity', as it is the number of paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group. @@ -1223,12 +1223,12 @@ of checks to make than for a complicated larger system. % We can consider the system as a large {\fg} of components. We represent the number of components in the {\fg} $G$, by -$ | G | .$ -An indexing and sub-scripting notation to identify particular {\fgs} -within an FMMD hierarchy is given in section~\ref{sec:indexsub}. +$ | G | $ +(an indexing and sub-scripting notation to identify particular {\fgs} +within an FMMD hierarchy is given in section~\ref{sec:indexsub}). The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}). -We can represent the number of failure modes in a component $c$, to be $ | fm(c) | .$ +We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$ If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express the number of checks required to rigorously examine every @@ -1343,10 +1343,11 @@ rigorous checking feasible. Because components have variable numbers of failure modes, and {\fgs} have variable numbers of components it is difficult to use the general formula for comparing the number of checks to make for -RFMEA and FMMMD. +RFMEA and FMMD. If we were to create an example by fixing the number of components in a {\fg} and the number of failure modes per component, we can derive formulae -to represent the number of checks to make. +to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to +all components in a system. Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$), $f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and @@ -1377,7 +1378,7 @@ Thus the number of checks to make in the top level is $3^0.3.2.3=18$. On the level below that, we have three {\fgs} each with a an identical number of checks, $3^1.3.2.3=56$.%{\fg} On the level below that we have nine {\fgs}, $3^2.3.2.3=168$. -Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA \textbf{within the} +Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}} {\fgs}). If we were to take the system represented in figure~\ref{fig:three_tree}, and @@ -1444,18 +1445,24 @@ $$ The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low. However, some critical systems have to consider these type of eventualities. -The burner control industry has to consider these, and these are written into the -the gas burner standard EN298~\cite{en298}. EN298 does not specifically state that +The burner control industry has to consider double failures, as specified in European Norm +EN298~\cite{en298}. EN298 does not specifically state that double simultaneous failures must be considered. What it does say is that -in the event of a lockout -- a condition where an error has been detected and -the equipment moves to a safe non-functioning state -- no secondary failure may cause a dangerous condition. +in the event of a lockout---a condition where an error has been detected and +the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition. +% This is slightly vague: there are so many possible component failures that could cause a secondary failure, that it is very difficult not to interpret this as meaning we have to cater for double simultaneous failures for the most critical sections -of a system. In practise -- in the field of EN298: burner controllers -- this means triple safeguards to ensure the fuel +of a burner control system. +% +In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel is not allowed to flow under an error condition. This would of course leave the possibility of other more complex double failures tricking the controller into thinking the -combustion was actually safe when it was not. +combustion was actually safe when it was not. +% +It would be impractical to +perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller. It has been shown that, for all but trivial small systems, double failure mode checking is impossible from a practical perspective. @@ -1501,7 +1508,12 @@ checking to all {\fgs} higher up in the hierarchy. This guarantees to check the symptoms caused by the failure modes in the other {\fgs} with the symptoms derived from the other {\fgs} modelling for double failures. -This guarantees +% +By traversing down the tree we can automatically determine which +double simultaneous combinations have not been resolved. +% +By applying double simultaneous checking until no single failures +canlead to a top level event, we double failure move coverage. To extend the example in figure~\ref{fig:dubsim1} we can map the failure