robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Worked though copy.tex from CH5,

Browse Source 
need to do diagrams next
This commit is contained in:
Robin Clark 2012-06-04 14:11:18 +01:00
parent 6c6621725f
commit e80d29a0b1
2 changed files with 102 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
presentations/fmea/Makefile
View File

@ -6,7 +6,7 @@ DIAPNG= three_tree.png component.png fmmd_env_op_uml.png fmmd_exm_h.png maste
all: $(DIAPNG) all: $(DIAPNG)
pdflatex fmea_pres pdflatex fmea_pres
acroread fmea_pres.pdf acroread fmea_pres.pdf || evince fmea_pres.pdf
bib: bib:

164
submission_thesis/CH5_Examples/copy.tex
View File

@ -1,8 +1,18 @@
%\clearpage %\pagenumbering{arabic} %\clearpage %\pagenumbering{arabic}
%
% %% NEED TWO MORE EXAMPLES --- 02JUN2012
%
% * ENVIRONMENTAL CASE (perhaps temp on an opto-coupler
%
% * OPERATIONAL STATE (perhaps a self test on an ADC where it is set to output and driven high and low and read)
\label{sec:chap5} \label{sec:chap5}
This chapter demonstrates FMMD applied to This chapter demonstrates FMMD applied to
a variety of common electronic circuits. a variety of common electronic circuits including analogue/digital and electronics/software hybrids.
In order to implement FMMD in practise, we review the basic concepts and processes of the methodology. In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.
\section{Basic Concepts Of FMMD} \section{Basic Concepts Of FMMD}
@ -12,13 +22,15 @@ driving concept behind FMMD is to modularise, from the bottom-up, failure mode e
Traditional FMEA takes part failure modes and then determines what effect each of these Traditional FMEA takes part failure modes and then determines what effect each of these
failure modes could have on the system under investigation. failure modes could have on the system under investigation.
Traditional FMEA, by looking at `part' level failure modes, Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes,
involves what we could term a large `reasoning~distance'; that is to say involves what we could term a large `reasoning~distance'; that is to say
in a complex system, taking a particular failure mode, of a particular part in a complex system, taking a particular failure mode, of a particular {\bc}
and then trying to predict the outcome in the context of an entire system, is and then trying to predict the outcome in the context of an entire system, is
a leap~of~faith. There will be numerous possibilities of effects and side effects on a leap~of~faith.
%
There will be numerous possibilities of effects and side effects on
other components in the system; more than is practically possible to rigorously examine. other components in the system; more than is practically possible to rigorously examine.
To simply trace a simple route from a particular part failure mode to a top level system error/symptom To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone. oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
Fortunately most real-world designs take a modular approach. In Electronics Fortunately most real-world designs take a modular approach. In Electronics
@ -29,16 +41,18 @@ It is common design practise in electronics, to use collections of parts in spec
to form well-defined and well-known building blocks. to form well-defined and well-known building blocks.
These commonly used configurations of parts, or {\fgs}, will These commonly used configurations of parts, or {\fgs}, will
also have a specific failure mode behaviour. also have a specific failure mode behaviour.
We can take a {\fg} and determine its symptoms of failure. We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
When we have done this we can treat this as a component in its own right. When we have done this we can treat this {\fg} as a component in its own right.
If we terms `parts' as base~components, components we have determined %
from functional groups as derived components, we modularise the FMEA process. If we term {\bcs} as the components we start analysis with and components we have determined
from functional groups as derived components, we can modularise the FMEA process.
%
If we start building {\fgs} from derived components we can start to build a modular If we start building {\fgs} from derived components we can start to build a modular
hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance, hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
allowing re-use of modules and reducing the number of by-hand analysis checks to consider. allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
As all forms of FMEA are bottom-up processes, we start with the lowest or most basic components/parts. As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts.
%and with their failure modes. %and with their failure modes.
% It is worth defining clearly the term part here. % It is worth defining clearly the term part here.
% Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus: % Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
@ -64,9 +78,10 @@ As all forms of FMEA are bottom-up processes, we start with the lowest or most b
\label{sec:determine_fms} \label{sec:determine_fms}
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail. In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124]. A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124].
Typically when choosing components for a design, we look at manufacturers' data sheets, Typically when choosing components for a design, we look at manufacturers' data sheets
which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave which describe functionality and dimensions
under certain conditions or environments. and also describe environmental ranges and tolerances, and can indicate how a component may fail/misbehave
under given conditions.
% %
How base components could fail internally, is not of interest to an FMEA investigation. How base components could fail internally, is not of interest to an FMEA investigation.
The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its
@ -83,15 +98,20 @@ are examined.
FMD-91 is a reference document released into the public domain by the United States DOD FMD-91 is a reference document released into the public domain by the United States DOD
and describes `failures' of common electronic components, with percentage statistics for each failure. and describes `failures' of common electronic components, with percentage statistics for each failure.
%
FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation. FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation.
%
FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
component {\fms} suitable for use in FMEA. component {\fms} suitable for use in FMEA.
%
A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for
component types but does not detail specific failure modes. component types but does not detail specific failure modes.
Used in conjunction with FMD-91, we can determine statistics for the failure modes %
of component types. The FMEDA process from European standard EN61508~\cite{en61508} for instance, Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes
requires statistics for Meantime to Failure (MTTF) of component types.
for all part failure modes. %
The FMEDA process from European standard EN61508~\cite{en61508} for instance,
requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes.
% One is from the US military document FMD-91, where internal failures % One is from the US military document FMD-91, where internal failures
@ -127,8 +147,8 @@ European burner standard EN298.
\paragraph{Resistor failure modes according to FMD-91.} \paragraph{Resistor failure modes according to FMD-91.}
The resistor is a ubiquitous component in electronics, and is therefore a prime The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes.
example for examining its failure modes. %
FMD-91\cite{fmd91}[3-178] lists many types of resistor FMD-91\cite{fmd91}[3-178] lists many types of resistor
and lists many possible failure causes. and lists many possible failure causes.
For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes: For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes:
@ -158,8 +178,9 @@ to {\fms} thus:
\item Lead damage 1.9\% $\mapsto$ OPEN. \item Lead damage 1.9\% $\mapsto$ OPEN.
\end{itemize} \end{itemize}
The main causes of drift are overloading of components. The main causes of drift are overloading of components.
This is borne out in entry~\cite{fmd91}[232] for a resistor network where the failure This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure
modes do not include drift. modes do not include drift.
%
If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change) If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change)
can be reasonably excluded. can be reasonably excluded.
@ -172,7 +193,7 @@ of all electronic components~\cite{en298}[11.2 5] as part of the certification p
Annex A of EN298, prescribes failure modes for common components Annex A of EN298, prescribes failure modes for common components
and guidance on determining sets of failure modes for complex components (i.e. integrated circuits). and guidance on determining sets of failure modes for complex components (i.e. integrated circuits).
EN298~\cite{en298}[Annex A] (for most types of resistor) EN298~\cite{en298}[Annex A] (for most types of resistor)
only requires that the failure mode OPEN be considered in FMEA analysis. only requires that the failure mode OPEN be considered for FMEA analysis.
% %
For resistor types not specifically listed in EN298, the failure modes For resistor types not specifically listed in EN298, the failure modes
are considered to be either OPEN or SHORT. are considered to be either OPEN or SHORT.
@ -243,7 +264,7 @@ The symptom for this is given as a low slew rate. This means that the op-amp
will not react quickly to changes on its input terminals. will not react quickly to changes on its input terminals.
This is a failure symptom that may not be of concern in a slow responding system like an This is a failure symptom that may not be of concern in a slow responding system like an
instrumentation amplifier. However, where higher frequencies are being processed, instrumentation amplifier. However, where higher frequencies are being processed,
a signal may be lost. a signal may entirely be lost.
We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$. We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
\paragraph{No Operation - over stress} \paragraph{No Operation - over stress}
@ -272,8 +293,8 @@ EN298 does not specifically define OP\_AMPS failure modes; these can be determi
by following a procedure for `integrated~circuits' outlined in by following a procedure for `integrated~circuits' outlined in
annex~A~\cite{en298}[A.1 note e]. annex~A~\cite{en298}[A.1 note e].
This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios. This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios.
We examine these failure scenarios on the dual packaged $LM358$ %\mu741$ We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$
and determine its {\fms}. and determine its {\fms} in table ~\ref{tbl:lm358}.
@ -336,7 +357,7 @@ and determine its {\fms}.
\hline \hline
\end{tabular} \end{tabular}
\label{tbl:pd} \label{tbl:lm358}
\end{table} \end{table}
@ -398,7 +419,7 @@ component {\fms} in FMEA or FMMD and require interpretation.
\section{ FMMD overview} \section{ FMMD overview}
In the next sections we apply FMMD to example electronic circuits. In the next sections we apply FMMD to example electronic circuits, analogue/digital and electronic/software hybrids.
The basic principles of FMMD are presented here for clarity. The basic principles of FMMD are presented here for clarity.
\paragraph{ Creating a fault hierarchy.} \paragraph{ Creating a fault hierarchy.}
@ -445,7 +466,7 @@ The ways in which the amplifier can be affected are its symptoms.
When we have determined the symptoms, we can When we have determined the symptoms, we can
create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms). create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
We can now treat $AMP1$ as a pre-analysed, higher level component. We can now treat $AMP1$ as a pre-analysed, higher level component.
The amplifier is an abstract concept, in terms of the components. %The amplifier is an abstract concept, in terms of the components.
To a make an `amplifier' we have to connect a a group of components To a make an `amplifier' we have to connect a a group of components
in a specific configuration. This specific configuration corresponds to in a specific configuration. This specific configuration corresponds to
a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}. a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
@ -469,7 +490,7 @@ mode model of the system under investigation.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png} \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292 % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
\caption{FMMD Hierarchy showing ascending abstraction levels} \caption{FMMD Hierarchy showing ascending abstraction levels}
\label{fig:treeabslev} \label{fig:treeabslev}
@ -615,7 +636,7 @@ and then combining it with the OPAMP failure mode model.
The second is to place all three components in a {\fg}. The second is to place all three components in a {\fg}.
Both approaches are followed in the next two sub-sections. Both approaches are followed in the next two sub-sections.
\subsection{Inverting OPAMP using a Potential Divider {\dc}} \subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative. We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'. We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
@ -672,7 +693,10 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
$$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$ $$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
\subsection{Inverting OP-AMP analysing with three components in one {\fg}} \subsection{Second Approach: Inverting OP-AMP analysing with three components in one larger {\fg}}
Here we analyse the same problem without using an intermediate $PD$
derived component.
%We can use this for a more general case, because we can examine the %We can use this for a more general case, because we can examine the
%effects on the circuit for each operational case (i.e. input +ve %effects on the circuit for each operational case (i.e. input +ve
@ -706,7 +730,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline \hline
@ -715,7 +739,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
\end{table} \end{table}
$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$ $$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$
%Much more general. OUT OF RANGE symptom maps to many component failure modes. %Much more general. OUT OF RANGE symptom maps to many component failure modes.
@ -763,9 +787,9 @@ and for the second analysis a CC of $8.(3-2)=16$.
\end{figure} \end{figure}
The amplifier in figure~\ref{fig:circuit1} amplifies the difference between The circuit in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$. the input voltages $+V1$ and $+V2$.
It would be desirable to represent this circuit as a derived component called say $DiffAMP$. It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit. We begin by identifying functional groups from the components in the circuit.
@ -868,7 +892,7 @@ The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage). a positive voltage).
This means the junction of R1 R3 is always +ve. This means the junction of R1 R3 is always +ve.
This means the input voltage `+V2' could be lower than this. This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a potential divider, with R4 being on the positive side. This means R3 R4 is not a fixed potential divider, with R4 being on the positive side.
It could be on either polarity (i.e. the other way around R4 could be the negative side). It could be on either polarity (i.e. the other way around R4 could be the negative side).
Here it is more intuitive to model the resistors not as a potential divider, but individually. Here it is more intuitive to model the resistors not as a potential divider, but individually.
%This means we are either going to %This means we are either going to
@ -954,12 +978,13 @@ We now create a derived component to represent the circuit in figure~\ref{fig:ci
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$ $$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag}) We draw a directed graph (figure~\ref{fig:circuit1_dag})
of the failure modes and derived components. of the failure modes and derived components.
%
Using this we can trace any top level fault back to Using this we can trace any top level fault back to
a component failure mode that could have caused it. a component failure mode that could have caused it\footnote{ In fact we can
In fact we can re-construct an FTA diagram from the information in this graph. re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates. We merely have to choose a top level event and work down using $XOR$ gates.}.
This circuit performs poorly from a safety point of view. This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially Its failure modes could be indistinguishable from valid readings (especially
@ -973,13 +998,14 @@ when it becomes a V2 follower).
\label{fig:circuit1_dag} \label{fig:circuit1_dag}
\end{figure} \end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is currently impossible to detect--- The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508 in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508
terminology is called an undetectable fault. terminology is called an undetectable fault.
%
Were this failure to have safety implications this FMMD analysis will have revealed Were this failure to have safety implications this FMMD analysis will have revealed
the un-observability and prompt re-design of this the un-observability and would likely prompt re-design of this
circuit\footnote{A typical way to solve an un-observability such as this is circuit\footnote{A typical way to solve an un-observability such as this is
to periodically switch test signals in place of the input signal} to periodically switch in test signals in place of the input signal.}
. .
\clearpage \clearpage
@ -1030,7 +1056,7 @@ read its output signal.
However, from a failure mode perspective we can analyse it in a very similar way However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{potdivfmmd}). to a potential divider (see section~\ref{potdivfmmd}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT. Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the latter type for this analysis. We will consider the worst case two failure mode model for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\ We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
@ -1309,7 +1335,7 @@ This consists of a resistor and a capacitor. We already have failure mode models
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different. is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different.
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}. We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
Our functional group for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$.
\begin{table}[h+] \begin{table}[h+]
\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table \caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table
@ -1331,9 +1357,9 @@ We have to analyse this circuit from the perspective of it being a {\em phase~sh
% PHS45 % PHS45
$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$ $$ fm (G_0) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$
$$ CC(PHS45) = 4.1 = 4 $$ $$ CC(G_0) = 4.1 = 4 $$
\subsection{Non Inverting Buffer: NIBUFF.} \subsection{Non Inverting Buffer: NIBUFF.}
@ -1343,7 +1369,7 @@ We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this g
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$ $$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
Because we obtain the failure modes for $NIBUFF$ from the literature, Because we obtain the failure modes for $NIBUFF$ from the literature,
its comparison complexity is zero. its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort.
$$ CC(NIBUFF) = 0 $$ $$ CC(NIBUFF) = 0 $$
%\subsection{Forming a functional group from the PHS45 and NIBUFF.} %\subsection{Forming a functional group from the PHS45 and NIBUFF.}
@ -1360,11 +1386,14 @@ Initially we use the first identified {\fgs} to create our model without further
\subsection{FMMD Analysis using initially identified functional groups} \subsection{FMMD Analysis using initially identified functional groups}
Our functional group for this analysis can be expressed thus:
$$ G^1_0 = PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} .$$
\begin{figure}[h+] \begin{figure}[h+]
\centering \centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png} \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390 % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
\caption{Bubba Oscillator: One final large functional group.} \caption{Bubba Oscillator: One large functional group using the initial functional groups to model oscillator.}
\label{fig:poss1finalbubba} \label{fig:poss1finalbubba}
\end{figure} \end{figure}
@ -1433,7 +1462,7 @@ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$
For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}. For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
$$ CC = 28.8 = 224$$ $$ CC = 28.8 = 224$$
To obtain the total comparison complexity $TCC$, we need to add the complexity from the To obtain the total comparison complexity ($TCC$), we need to add the complexity from the
{\dcs} that $BubbaOscillator$ was built from. {\dcs} that $BubbaOscillator$ was built from.
$$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$ $$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
@ -1442,9 +1471,11 @@ $$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
%$3.4=12$ from this result, because the results from $BUFF45$ have been used four times. %$3.4=12$ from this result, because the results from $BUFF45$ have been used four times.
Traditional FMEA would have lead us to a much higher comparison complexity Traditional FMEA would have lead us to a much higher comparison complexity
of $468$ failure modes to check against components. of $468$ failure modes to check against components.
The analysis here appears top-heavy; we should be able to refine the model more However, the analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully
this should lead a further reduction in the complexity comparison figure. this should lead a further reduction in the complexity comparison figure.
By de-creasing the size of the modules with further refinement,
we may also discover new derived components that may be of use for other analyses in the future.
@ -1693,13 +1724,16 @@ a mixed analogue and digital feedback circuit.
A summing junction and integrator is used to compare the negative feedback A summing junction and integrator is used to compare the negative feedback
signal with the input. signal with the input.
% %
The output of the integrator is digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic) The output of the integrator is converted to a digital level (by IC2)
which acts as a comparator, and fed to the D type flip flop. %digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
%which acts as a comparator,
and fed to the D type flip flop.
% %
The output of the flip flop forms a bit pattern representing the value The output of the flip flop forms a bit pattern representing the value
of the input voltage. of the input voltage.
% %
The output of the flip flop, is now level converted to an analogue signal The output of the flip flop is also routed to the feedback.
It is level converted to an analogue signal
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage) (i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
and fed into the summing integrator completing the negative feedback loop. and fed into the summing integrator completing the negative feedback loop.
@ -1743,6 +1777,7 @@ This can be our first {\fg} and we analyse it in table~\ref{tbl:suml=j}.
$$G^0_1 = \{R1, R2 \}$$ $$G^0_1 = \{R1, R2 \}$$
\begin{table}[h+] \begin{table}[h+]
\center
\caption{R1,R2 Summing Junction: Failure Mode Effects Analysis} % title of Table \caption{R1,R2 Summing Junction: Failure Mode Effects Analysis} % title of Table
\label{tbl:sumj} \label{tbl:sumj}
@ -1785,6 +1820,7 @@ The buffered integrator is analysed in table~\ref{tbl:intg}.
\begin{table}[h+] \begin{table}[h+]
\center
\caption{IC1,C1,IC2 Buffered Integrator: Failure Mode Effects Analysis} % title of Table \caption{IC1,C1,IC2 Buffered Integrator: Failure Mode Effects Analysis} % title of Table
\label{tbl:intg} \label{tbl:intg}
@ -1849,6 +1885,7 @@ We now analyse the {\fg} $G^1$ in table~\ref{tbl:DS2AS}.
%$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$ %$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$
\begin{table}[h+] \begin{table}[h+]
\center
\caption{$PD^1, IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table \caption{$PD^1, IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS} \label{tbl:DS2AS}
@ -2387,7 +2424,7 @@ out by considering the voltage reading over $R_3$ to be relative.
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range. The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one we measure current over) should also One or other of the load resistors (the one we measure current over) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified} accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
% %
The \ohms{2k2} loading resistors should have a good temperature co-effecient The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $). (i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
@ -3103,7 +3140,7 @@ and traceable way. Each function is subject to pre-conditions (constraints on it
post-conditions (constraints on its outputs) and function wide invariants (rules). post-conditions (constraints on its outputs) and function wide invariants (rules).
\paragraph{Mapping contract `pre-condition' violations to failure modes} \paragraph{Mapping contract `pre-condition' violations to failure modes.}
A precondition, or requirement for a contract software function A precondition, or requirement for a contract software function
defines the correct ranges of input conditions for the function defines the correct ranges of input conditions for the function
@ -3113,13 +3150,13 @@ For a software function, a violation of a pre-condition is
in effect a failure mode of `one of its components'. in effect a failure mode of `one of its components'.
\paragraph{Mapping contract `post-condition' violations to symptoms} \paragraph{Mapping contract `post-condition' violations to symptoms.}
A post condition is a definition of correct behaviour by a function. A post condition is a definition of correct behaviour by a function.
A violated post condition is a symptom of failure of a function. A violated post condition is a symptom of failure of a function.
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function. Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function.
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes} \paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology), Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology),
and to outputs (where they can be considered {failure symptoms} in FMMD terminology). and to outputs (where they can be considered {failure symptoms} in FMMD terminology).
@ -3135,18 +3172,18 @@ Usually, $4mA$ represents a zero or starting value and $20mA$ represents the ful
and this is referred to as {\ft} signalling. and this is referred to as {\ft} signalling.
% %
{\ft} has a an electrical advantage as well, because the current in a loop is constant~\cite{aoe}[p.20] {\ft} has a an electrical advantage as well, because the current in a loop is constant~\cite{aoe}[p.20]
resistance in the wires between the source and the receiving end is not an issue resistance in the wires between the source and receiving end is not an issue
that can alter the accuracy of the signal. that can alter the accuracy of the signal.
% %
This circuit has many advantages for safety. If the signal becomes disconnected This circuit has many advantages for safety. If the signal becomes disconnected
it reads an out of range $0mA$ at the receiving end. This is outside the {\ft} range, it reads $0mA$ at the receiving end: as this is outside the {\ft} range
and is therefore easy to detect as an error rather than an incorrect value. it is easy to detect as an error condition rather than an incorrect value.
% %
Should the driving electronics go wrong at the source end, it will usually Should the driving electronics go wrong at the source end, it will usually
supply far too little or far too much current, making an error condition easy to detect. supply far too little or far too much current, also making error conditions easy to detect.
% %
At the receiving end, we only require one simple component to convert the At the receiving end, we only require one simple component to convert the
current signal into a voltage that we can read with an ADC: the humble resistor! current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor!
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP %BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
@ -3184,7 +3221,7 @@ Our acceptable voltage range is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$ $$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
This voltage range forms our input requirement. This voltage range forms our input requirement and can be considered as an invariant condition.
% %
We can now examine a software function that performs a conversion from the voltage read to We can now examine a software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current. a per~mil representation of the {\ft} input current.
@ -3363,6 +3400,7 @@ With these failure modes, we can analyse our first functional group, see table~\
{ {
\tiny \tiny
\begin{table}[h+] \begin{table}[h+]
\center
\caption{$G_1$: Failure Mode Effects Analysis} % title of Table \caption{$G_1$: Failure Mode Effects Analysis} % title of Table
\label{tbl:cmatv} \label{tbl:cmatv}