diff --git a/presentations/fmea/Makefile b/presentations/fmea/Makefile index 6d0c6b8..cbfc332 100644 --- a/presentations/fmea/Makefile +++ b/presentations/fmea/Makefile @@ -6,7 +6,7 @@ DIAPNG= three_tree.png component.png fmmd_env_op_uml.png fmmd_exm_h.png maste all: $(DIAPNG) pdflatex fmea_pres - acroread fmea_pres.pdf + acroread fmea_pres.pdf || evince fmea_pres.pdf bib: diff --git a/submission_thesis/CH5_Examples/copy.tex b/submission_thesis/CH5_Examples/copy.tex index 8ec192d..07095de 100644 --- a/submission_thesis/CH5_Examples/copy.tex +++ b/submission_thesis/CH5_Examples/copy.tex @@ -1,8 +1,18 @@ %\clearpage %\pagenumbering{arabic} + +% +% %% NEED TWO MORE EXAMPLES --- 02JUN2012 +% +% * ENVIRONMENTAL CASE (perhaps temp on an opto-coupler +% +% * OPERATIONAL STATE (perhaps a self test on an ADC where it is set to output and driven high and low and read) + + + \label{sec:chap5} This chapter demonstrates FMMD applied to -a variety of common electronic circuits. +a variety of common electronic circuits including analogue/digital and electronics/software hybrids. In order to implement FMMD in practise, we review the basic concepts and processes of the methodology. \section{Basic Concepts Of FMMD} @@ -12,13 +22,15 @@ driving concept behind FMMD is to modularise, from the bottom-up, failure mode e Traditional FMEA takes part failure modes and then determines what effect each of these failure modes could have on the system under investigation. -Traditional FMEA, by looking at `part' level failure modes, +Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes, involves what we could term a large `reasoning~distance'; that is to say -in a complex system, taking a particular failure mode, of a particular part +in a complex system, taking a particular failure mode, of a particular {\bc} and then trying to predict the outcome in the context of an entire system, is -a leap~of~faith. There will be numerous possibilities of effects and side effects on +a leap~of~faith. +% +There will be numerous possibilities of effects and side effects on other components in the system; more than is practically possible to rigorously examine. -To simply trace a simple route from a particular part failure mode to a top level system error/symptom +To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone. Fortunately most real-world designs take a modular approach. In Electronics @@ -29,16 +41,18 @@ It is common design practise in electronics, to use collections of parts in spec to form well-defined and well-known building blocks. These commonly used configurations of parts, or {\fgs}, will also have a specific failure mode behaviour. -We can take a {\fg} and determine its symptoms of failure. +We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure. -When we have done this we can treat this as a component in its own right. -If we terms `parts' as base~components, components we have determined -from functional groups as derived components, we modularise the FMEA process. +When we have done this we can treat this {\fg} as a component in its own right. +% +If we term {\bcs} as the components we start analysis with and components we have determined +from functional groups as derived components, we can modularise the FMEA process. +% If we start building {\fgs} from derived components we can start to build a modular hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance, allowing re-use of modules and reducing the number of by-hand analysis checks to consider. -As all forms of FMEA are bottom-up processes, we start with the lowest or most basic components/parts. +As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts. %and with their failure modes. % It is worth defining clearly the term part here. % Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus: @@ -64,9 +78,10 @@ As all forms of FMEA are bottom-up processes, we start with the lowest or most b \label{sec:determine_fms} In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail. A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. -Typically when choosing components for a design, we look at manufacturers' data sheets, -which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave -under certain conditions or environments. +Typically when choosing components for a design, we look at manufacturers' data sheets +which describe functionality and dimensions +and also describe environmental ranges and tolerances, and can indicate how a component may fail/misbehave +under given conditions. % How base components could fail internally, is not of interest to an FMEA investigation. The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its @@ -83,15 +98,20 @@ are examined. FMD-91 is a reference document released into the public domain by the United States DOD and describes `failures' of common electronic components, with percentage statistics for each failure. +% FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation. +% FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of component {\fms} suitable for use in FMEA. +% A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for component types but does not detail specific failure modes. -Used in conjunction with FMD-91, we can determine statistics for the failure modes -of component types. The FMEDA process from European standard EN61508~\cite{en61508} for instance, -requires statistics for Meantime to Failure (MTTF) -for all part failure modes. +% +Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes +of component types. +% +The FMEDA process from European standard EN61508~\cite{en61508} for instance, +requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes. % One is from the US military document FMD-91, where internal failures @@ -127,8 +147,8 @@ European burner standard EN298. \paragraph{Resistor failure modes according to FMD-91.} -The resistor is a ubiquitous component in electronics, and is therefore a prime -example for examining its failure modes. +The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes. +% FMD-91\cite{fmd91}[3-178] lists many types of resistor and lists many possible failure causes. For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes: @@ -158,8 +178,9 @@ to {\fms} thus: \item Lead damage 1.9\% $\mapsto$ OPEN. \end{itemize} The main causes of drift are overloading of components. -This is borne out in entry~\cite{fmd91}[232] for a resistor network where the failure +This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure modes do not include drift. +% If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change) can be reasonably excluded. @@ -172,7 +193,7 @@ of all electronic components~\cite{en298}[11.2 5] as part of the certification p Annex A of EN298, prescribes failure modes for common components and guidance on determining sets of failure modes for complex components (i.e. integrated circuits). EN298~\cite{en298}[Annex A] (for most types of resistor) -only requires that the failure mode OPEN be considered in FMEA analysis. +only requires that the failure mode OPEN be considered for FMEA analysis. % For resistor types not specifically listed in EN298, the failure modes are considered to be either OPEN or SHORT. @@ -243,7 +264,7 @@ The symptom for this is given as a low slew rate. This means that the op-amp will not react quickly to changes on its input terminals. This is a failure symptom that may not be of concern in a slow responding system like an instrumentation amplifier. However, where higher frequencies are being processed, -a signal may be lost. +a signal may entirely be lost. We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. \paragraph{No Operation - over stress} @@ -272,8 +293,8 @@ EN298 does not specifically define OP\_AMPS failure modes; these can be determi by following a procedure for `integrated~circuits' outlined in annex~A~\cite{en298}[A.1 note e]. This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios. -We examine these failure scenarios on the dual packaged $LM358$ %\mu741$ -and determine its {\fms}. +We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$ +and determine its {\fms} in table ~\ref{tbl:lm358}. @@ -336,7 +357,7 @@ and determine its {\fms}. \hline \end{tabular} -\label{tbl:pd} +\label{tbl:lm358} \end{table} @@ -398,7 +419,7 @@ component {\fms} in FMEA or FMMD and require interpretation. \section{ FMMD overview} -In the next sections we apply FMMD to example electronic circuits. +In the next sections we apply FMMD to example electronic circuits, analogue/digital and electronic/software hybrids. The basic principles of FMMD are presented here for clarity. \paragraph{ Creating a fault hierarchy.} @@ -445,7 +466,7 @@ The ways in which the amplifier can be affected are its symptoms. When we have determined the symptoms, we can create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). We can now treat $AMP1$ as a pre-analysed, higher level component. -The amplifier is an abstract concept, in terms of the components. +%The amplifier is an abstract concept, in terms of the components. To a make an `amplifier' we have to connect a a group of components in a specific configuration. This specific configuration corresponds to a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}. @@ -469,7 +490,7 @@ mode model of the system under investigation. \begin{figure}[h] \centering - \includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} + \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292 \caption{FMMD Hierarchy showing ascending abstraction levels} \label{fig:treeabslev} @@ -615,7 +636,7 @@ and then combining it with the OPAMP failure mode model. The second is to place all three components in a {\fg}. Both approaches are followed in the next two sub-sections. -\subsection{Inverting OPAMP using a Potential Divider {\dc}} +\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}} We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative. We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'. @@ -672,7 +693,10 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis} $$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$ -\subsection{Inverting OP-AMP analysing with three components in one {\fg}} +\subsection{Second Approach: Inverting OP-AMP analysing with three components in one larger {\fg}} + +Here we analyse the same problem without using an intermediate $PD$ +derived component. %We can use this for a more general case, because we can examine the %effects on the circuit for each operational case (i.e. input +ve @@ -706,7 +730,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis} FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline - FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline + FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline \hline @@ -715,7 +739,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis} \end{table} -$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$ +$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$ %Much more general. OUT OF RANGE symptom maps to many component failure modes. @@ -763,9 +787,9 @@ and for the second analysis a CC of $8.(3-2)=16$. \end{figure} -The amplifier in figure~\ref{fig:circuit1} amplifies the difference between +The circuit in figure~\ref{fig:circuit1} amplifies the difference between the input voltages $+V1$ and $+V2$. -It would be desirable to represent this circuit as a derived component called say $DiffAMP$. +It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$. We begin by identifying functional groups from the components in the circuit. @@ -868,7 +892,7 @@ The first amplifier was grounded and received as input `+V1' (presumably a positive voltage). This means the junction of R1 R3 is always +ve. This means the input voltage `+V2' could be lower than this. -This means R3 R4 is not a potential divider, with R4 being on the positive side. +This means R3 R4 is not a fixed potential divider, with R4 being on the positive side. It could be on either polarity (i.e. the other way around R4 could be the negative side). Here it is more intuitive to model the resistors not as a potential divider, but individually. %This means we are either going to @@ -954,12 +978,13 @@ We now create a derived component to represent the circuit in figure~\ref{fig:ci $$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$ -Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag}) +We draw a directed graph (figure~\ref{fig:circuit1_dag}) of the failure modes and derived components. +% Using this we can trace any top level fault back to -a component failure mode that could have caused it. -In fact we can re-construct an FTA diagram from the information in this graph. -We merely have to choose a top level event and work down using $XOR$ gates. +a component failure mode that could have caused it\footnote{ In fact we can +re-construct an FTA diagram from the information in this graph. +We merely have to choose a top level event and work down using $XOR$ gates.}. This circuit performs poorly from a safety point of view. Its failure modes could be indistinguishable from valid readings (especially @@ -973,13 +998,14 @@ when it becomes a V2 follower). \label{fig:circuit1_dag} \end{figure} -The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is currently impossible to detect--- +The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit--- in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508 terminology is called an undetectable fault. +% Were this failure to have safety implications this FMMD analysis will have revealed -the un-observability and prompt re-design of this +the un-observability and would likely prompt re-design of this circuit\footnote{A typical way to solve an un-observability such as this is -to periodically switch test signals in place of the input signal} +to periodically switch in test signals in place of the input signal.} . \clearpage @@ -1030,7 +1056,7 @@ read its output signal. However, from a failure mode perspective we can analyse it in a very similar way to a potential divider (see section~\ref{potdivfmmd}). Capacitors generally fail OPEN but some types fail OPEN and SHORT. -We will consider the latter type for this analysis. +We will consider the worst case two failure mode model for this analysis. We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\ @@ -1309,7 +1335,7 @@ This consists of a resistor and a capacitor. We already have failure mode models we now need to see how these failure modes would affect the phase shifter. Note that the circuit here is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different. We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}. - +Our functional group for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$. \begin{table}[h+] \caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table @@ -1331,9 +1357,9 @@ We have to analyse this circuit from the perspective of it being a {\em phase~sh % PHS45 -$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$ +$$ fm (G_0) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$ -$$ CC(PHS45) = 4.1 = 4 $$ +$$ CC(G_0) = 4.1 = 4 $$ \subsection{Non Inverting Buffer: NIBUFF.} @@ -1343,7 +1369,7 @@ We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this g $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ Because we obtain the failure modes for $NIBUFF$ from the literature, -its comparison complexity is zero. +its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort. $$ CC(NIBUFF) = 0 $$ %\subsection{Forming a functional group from the PHS45 and NIBUFF.} @@ -1360,11 +1386,14 @@ Initially we use the first identified {\fgs} to create our model without further \subsection{FMMD Analysis using initially identified functional groups} +Our functional group for this analysis can be expressed thus: +$$ G^1_0 = PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} .$$ + \begin{figure}[h+] \centering \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png} % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390 - \caption{Bubba Oscillator: One final large functional group.} + \caption{Bubba Oscillator: One large functional group using the initial functional groups to model oscillator.} \label{fig:poss1finalbubba} \end{figure} @@ -1433,7 +1462,7 @@ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$ For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}. $$ CC = 28.8 = 224$$ -To obtain the total comparison complexity $TCC$, we need to add the complexity from the +To obtain the total comparison complexity ($TCC$), we need to add the complexity from the {\dcs} that $BubbaOscillator$ was built from. $$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$ @@ -1442,9 +1471,11 @@ $$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$ %$3.4=12$ from this result, because the results from $BUFF45$ have been used four times. Traditional FMEA would have lead us to a much higher comparison complexity of $468$ failure modes to check against components. -The analysis here appears top-heavy; we should be able to refine the model more +However, the analysis here appears top-heavy; we should be able to refine the model more and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully this should lead a further reduction in the complexity comparison figure. +By de-creasing the size of the modules with further refinement, +we may also discover new derived components that may be of use for other analyses in the future. @@ -1693,13 +1724,16 @@ a mixed analogue and digital feedback circuit. A summing junction and integrator is used to compare the negative feedback signal with the input. % -The output of the integrator is digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic) -which acts as a comparator, and fed to the D type flip flop. +The output of the integrator is converted to a digital level (by IC2) +%digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic) +%which acts as a comparator, +and fed to the D type flip flop. % The output of the flip flop forms a bit pattern representing the value of the input voltage. % -The output of the flip flop, is now level converted to an analogue signal +The output of the flip flop is also routed to the feedback. +It is level converted to an analogue signal (i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage) and fed into the summing integrator completing the negative feedback loop. @@ -1743,6 +1777,7 @@ This can be our first {\fg} and we analyse it in table~\ref{tbl:suml=j}. $$G^0_1 = \{R1, R2 \}$$ \begin{table}[h+] +\center \caption{R1,R2 Summing Junction: Failure Mode Effects Analysis} % title of Table \label{tbl:sumj} @@ -1785,6 +1820,7 @@ The buffered integrator is analysed in table~\ref{tbl:intg}. \begin{table}[h+] +\center \caption{IC1,C1,IC2 Buffered Integrator: Failure Mode Effects Analysis} % title of Table \label{tbl:intg} @@ -1849,6 +1885,7 @@ We now analyse the {\fg} $G^1$ in table~\ref{tbl:DS2AS}. %$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$ \begin{table}[h+] +\center \caption{$PD^1, IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table \label{tbl:DS2AS} @@ -2387,7 +2424,7 @@ out by considering the voltage reading over $R_3$ to be relative. The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. One or other of the load resistors (the one we measure current over) should also be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an -accuracy of $\pm 1\%$. Higher accuracy parts may be specified} +accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}. % The \ohms{2k2} loading resistors should have a good temperature co-effecient (i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). @@ -3103,7 +3140,7 @@ and traceable way. Each function is subject to pre-conditions (constraints on it post-conditions (constraints on its outputs) and function wide invariants (rules). -\paragraph{Mapping contract `pre-condition' violations to failure modes} +\paragraph{Mapping contract `pre-condition' violations to failure modes.} A precondition, or requirement for a contract software function defines the correct ranges of input conditions for the function @@ -3113,13 +3150,13 @@ For a software function, a violation of a pre-condition is in effect a failure mode of `one of its components'. -\paragraph{Mapping contract `post-condition' violations to symptoms} +\paragraph{Mapping contract `post-condition' violations to symptoms.} A post condition is a definition of correct behaviour by a function. A violated post condition is a symptom of failure of a function. Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function. -\paragraph{Mapping contract `invariant' violations to symptoms and failure modes} +\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.} Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology), and to outputs (where they can be considered {failure symptoms} in FMMD terminology). @@ -3135,18 +3172,18 @@ Usually, $4mA$ represents a zero or starting value and $20mA$ represents the ful and this is referred to as {\ft} signalling. % {\ft} has a an electrical advantage as well, because the current in a loop is constant~\cite{aoe}[p.20] -resistance in the wires between the source and the receiving end is not an issue +resistance in the wires between the source and receiving end is not an issue that can alter the accuracy of the signal. % This circuit has many advantages for safety. If the signal becomes disconnected -it reads an out of range $0mA$ at the receiving end. This is outside the {\ft} range, -and is therefore easy to detect as an error rather than an incorrect value. +it reads $0mA$ at the receiving end: as this is outside the {\ft} range +it is easy to detect as an error condition rather than an incorrect value. % Should the driving electronics go wrong at the source end, it will usually -supply far too little or far too much current, making an error condition easy to detect. +supply far too little or far too much current, also making error conditions easy to detect. % At the receiving end, we only require one simple component to convert the -current signal into a voltage that we can read with an ADC: the humble resistor! +current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor! %BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP @@ -3184,7 +3221,7 @@ Our acceptable voltage range is therefore $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ -This voltage range forms our input requirement. +This voltage range forms our input requirement and can be considered as an invariant condition. % We can now examine a software function that performs a conversion from the voltage read to a per~mil representation of the {\ft} input current. @@ -3363,6 +3400,7 @@ With these failure modes, we can analyse our first functional group, see table~\ { \tiny \begin{table}[h+] +\center \caption{$G_1$: Failure Mode Effects Analysis} % title of Table \label{tbl:cmatv}