Worked though copy.tex from CH5,
need to do diagrams next
This commit is contained in:
Robin Clark
parent
6c6621725f
commit
e80d29a0b1
@ -6,7 +6,7 @@ DIAPNG= three_tree.png component.png fmmd_env_op_uml.png fmmd_exm_h.png maste
|
||||
|
||||
all: $(DIAPNG)
|
||||
pdflatex fmea_pres
|
||||
acroread fmea_pres.pdf
|
||||
acroread fmea_pres.pdf || evince fmea_pres.pdf
|
||||
|
||||
|
||||
bib:
|
||||
|
||||
@ -1,8 +1,18 @@
|
||||
%\clearpage %\pagenumbering{arabic}
|
||||
|
||||
%
|
||||
% %% NEED TWO MORE EXAMPLES --- 02JUN2012
|
||||
%
|
||||
% * ENVIRONMENTAL CASE (perhaps temp on an opto-coupler
|
||||
%
|
||||
% * OPERATIONAL STATE (perhaps a self test on an ADC where it is set to output and driven high and low and read)
|
||||
|
||||
|
||||
|
||||
\label{sec:chap5}
|
||||
|
||||
This chapter demonstrates FMMD applied to
|
||||
a variety of common electronic circuits.
|
||||
a variety of common electronic circuits including analogue/digital and electronics/software hybrids.
|
||||
In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.
|
||||
|
||||
\section{Basic Concepts Of FMMD}
|
||||
@ -12,13 +22,15 @@ driving concept behind FMMD is to modularise, from the bottom-up, failure mode e
|
||||
Traditional FMEA takes part failure modes and then determines what effect each of these
|
||||
failure modes could have on the system under investigation.
|
||||
|
||||
Traditional FMEA, by looking at `part' level failure modes,
|
||||
Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes,
|
||||
involves what we could term a large `reasoning~distance'; that is to say
|
||||
in a complex system, taking a particular failure mode, of a particular part
|
||||
in a complex system, taking a particular failure mode, of a particular {\bc}
|
||||
and then trying to predict the outcome in the context of an entire system, is
|
||||
a leap~of~faith. There will be numerous possibilities of effects and side effects on
|
||||
a leap~of~faith.
|
||||
%
|
||||
There will be numerous possibilities of effects and side effects on
|
||||
other components in the system; more than is practically possible to rigorously examine.
|
||||
To simply trace a simple route from a particular part failure mode to a top level system error/symptom
|
||||
To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
|
||||
oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
|
||||
|
||||
Fortunately most real-world designs take a modular approach. In Electronics
|
||||
@ -29,16 +41,18 @@ It is common design practise in electronics, to use collections of parts in spec
|
||||
to form well-defined and well-known building blocks.
|
||||
These commonly used configurations of parts, or {\fgs}, will
|
||||
also have a specific failure mode behaviour.
|
||||
We can take a {\fg} and determine its symptoms of failure.
|
||||
We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
|
||||
|
||||
When we have done this we can treat this as a component in its own right.
|
||||
If we terms `parts' as base~components, components we have determined
|
||||
from functional groups as derived components, we modularise the FMEA process.
|
||||
When we have done this we can treat this {\fg} as a component in its own right.
|
||||
%
|
||||
If we term {\bcs} as the components we start analysis with and components we have determined
|
||||
from functional groups as derived components, we can modularise the FMEA process.
|
||||
%
|
||||
If we start building {\fgs} from derived components we can start to build a modular
|
||||
hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
|
||||
allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
|
||||
|
||||
As all forms of FMEA are bottom-up processes, we start with the lowest or most basic components/parts.
|
||||
As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts.
|
||||
%and with their failure modes.
|
||||
% It is worth defining clearly the term part here.
|
||||
% Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
|
||||
@ -64,9 +78,10 @@ As all forms of FMEA are bottom-up processes, we start with the lowest or most b
|
||||
\label{sec:determine_fms}
|
||||
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
|
||||
A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124].
|
||||
Typically when choosing components for a design, we look at manufacturers' data sheets,
|
||||
which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave
|
||||
under certain conditions or environments.
|
||||
Typically when choosing components for a design, we look at manufacturers' data sheets
|
||||
which describe functionality and dimensions
|
||||
and also describe environmental ranges and tolerances, and can indicate how a component may fail/misbehave
|
||||
under given conditions.
|
||||
%
|
||||
How base components could fail internally, is not of interest to an FMEA investigation.
|
||||
The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its
|
||||
@ -83,15 +98,20 @@ are examined.
|
||||
|
||||
FMD-91 is a reference document released into the public domain by the United States DOD
|
||||
and describes `failures' of common electronic components, with percentage statistics for each failure.
|
||||
%
|
||||
FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation.
|
||||
%
|
||||
FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
|
||||
component {\fms} suitable for use in FMEA.
|
||||
%
|
||||
A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for
|
||||
component types but does not detail specific failure modes.
|
||||
Used in conjunction with FMD-91, we can determine statistics for the failure modes
|
||||
of component types. The FMEDA process from European standard EN61508~\cite{en61508} for instance,
|
||||
requires statistics for Meantime to Failure (MTTF)
|
||||
for all part failure modes.
|
||||
%
|
||||
Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes
|
||||
of component types.
|
||||
%
|
||||
The FMEDA process from European standard EN61508~\cite{en61508} for instance,
|
||||
requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes.
|
||||
|
||||
|
||||
% One is from the US military document FMD-91, where internal failures
|
||||
@ -127,8 +147,8 @@ European burner standard EN298.
|
||||
\paragraph{Resistor failure modes according to FMD-91.}
|
||||
|
||||
|
||||
The resistor is a ubiquitous component in electronics, and is therefore a prime
|
||||
example for examining its failure modes.
|
||||
The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes.
|
||||
%
|
||||
FMD-91\cite{fmd91}[3-178] lists many types of resistor
|
||||
and lists many possible failure causes.
|
||||
For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes:
|
||||
@ -158,8 +178,9 @@ to {\fms} thus:
|
||||
\item Lead damage 1.9\% $\mapsto$ OPEN.
|
||||
\end{itemize}
|
||||
The main causes of drift are overloading of components.
|
||||
This is borne out in entry~\cite{fmd91}[232] for a resistor network where the failure
|
||||
This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure
|
||||
modes do not include drift.
|
||||
%
|
||||
If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change)
|
||||
can be reasonably excluded.
|
||||
|
||||
@ -172,7 +193,7 @@ of all electronic components~\cite{en298}[11.2 5] as part of the certification p
|
||||
Annex A of EN298, prescribes failure modes for common components
|
||||
and guidance on determining sets of failure modes for complex components (i.e. integrated circuits).
|
||||
EN298~\cite{en298}[Annex A] (for most types of resistor)
|
||||
only requires that the failure mode OPEN be considered in FMEA analysis.
|
||||
only requires that the failure mode OPEN be considered for FMEA analysis.
|
||||
%
|
||||
For resistor types not specifically listed in EN298, the failure modes
|
||||
are considered to be either OPEN or SHORT.
|
||||
@ -243,7 +264,7 @@ The symptom for this is given as a low slew rate. This means that the op-amp
|
||||
will not react quickly to changes on its input terminals.
|
||||
This is a failure symptom that may not be of concern in a slow responding system like an
|
||||
instrumentation amplifier. However, where higher frequencies are being processed,
|
||||
a signal may be lost.
|
||||
a signal may entirely be lost.
|
||||
We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
|
||||
|
||||
\paragraph{No Operation - over stress}
|
||||
@ -272,8 +293,8 @@ EN298 does not specifically define OP\_AMPS failure modes; these can be determi
|
||||
by following a procedure for `integrated~circuits' outlined in
|
||||
annex~A~\cite{en298}[A.1 note e].
|
||||
This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios.
|
||||
We examine these failure scenarios on the dual packaged $LM358$ %\mu741$
|
||||
and determine its {\fms}.
|
||||
We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$
|
||||
and determine its {\fms} in table ~\ref{tbl:lm358}.
|
||||
|
||||
|
||||
|
||||
@ -336,7 +357,7 @@ and determine its {\fms}.
|
||||
|
||||
\hline
|
||||
\end{tabular}
|
||||
\label{tbl:pd}
|
||||
\label{tbl:lm358}
|
||||
\end{table}
|
||||
|
||||
|
||||
@ -398,7 +419,7 @@ component {\fms} in FMEA or FMMD and require interpretation.
|
||||
|
||||
\section{ FMMD overview}
|
||||
|
||||
In the next sections we apply FMMD to example electronic circuits.
|
||||
In the next sections we apply FMMD to example electronic circuits, analogue/digital and electronic/software hybrids.
|
||||
The basic principles of FMMD are presented here for clarity.
|
||||
|
||||
\paragraph{ Creating a fault hierarchy.}
|
||||
@ -445,7 +466,7 @@ The ways in which the amplifier can be affected are its symptoms.
|
||||
When we have determined the symptoms, we can
|
||||
create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
|
||||
We can now treat $AMP1$ as a pre-analysed, higher level component.
|
||||
The amplifier is an abstract concept, in terms of the components.
|
||||
%The amplifier is an abstract concept, in terms of the components.
|
||||
To a make an `amplifier' we have to connect a a group of components
|
||||
in a specific configuration. This specific configuration corresponds to
|
||||
a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
|
||||
@ -469,7 +490,7 @@ mode model of the system under investigation.
|
||||
|
||||
\begin{figure}[h]
|
||||
\centering
|
||||
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
|
||||
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
|
||||
% tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
|
||||
\caption{FMMD Hierarchy showing ascending abstraction levels}
|
||||
\label{fig:treeabslev}
|
||||
@ -615,7 +636,7 @@ and then combining it with the OPAMP failure mode model.
|
||||
The second is to place all three components in a {\fg}.
|
||||
Both approaches are followed in the next two sub-sections.
|
||||
|
||||
\subsection{Inverting OPAMP using a Potential Divider {\dc}}
|
||||
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
|
||||
|
||||
We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative.
|
||||
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
|
||||
@ -672,7 +693,10 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
|
||||
$$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
|
||||
|
||||
|
||||
\subsection{Inverting OP-AMP analysing with three components in one {\fg}}
|
||||
\subsection{Second Approach: Inverting OP-AMP analysing with three components in one larger {\fg}}
|
||||
|
||||
Here we analyse the same problem without using an intermediate $PD$
|
||||
derived component.
|
||||
|
||||
%We can use this for a more general case, because we can examine the
|
||||
%effects on the circuit for each operational case (i.e. input +ve
|
||||
@ -706,7 +730,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
|
||||
|
||||
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
|
||||
|
||||
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
|
||||
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline
|
||||
|
||||
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
|
||||
\hline
|
||||
@ -715,7 +739,7 @@ This gives the same results as the analysis from figure~\ref{fig:invampanalysis}
|
||||
\end{table}
|
||||
|
||||
|
||||
$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$
|
||||
$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$
|
||||
|
||||
|
||||
%Much more general. OUT OF RANGE symptom maps to many component failure modes.
|
||||
@ -763,9 +787,9 @@ and for the second analysis a CC of $8.(3-2)=16$.
|
||||
\end{figure}
|
||||
|
||||
|
||||
The amplifier in figure~\ref{fig:circuit1} amplifies the difference between
|
||||
The circuit in figure~\ref{fig:circuit1} amplifies the difference between
|
||||
the input voltages $+V1$ and $+V2$.
|
||||
It would be desirable to represent this circuit as a derived component called say $DiffAMP$.
|
||||
It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
|
||||
We begin by identifying functional groups from the components in the circuit.
|
||||
|
||||
|
||||
@ -868,7 +892,7 @@ The first amplifier was grounded and received as input `+V1' (presumably
|
||||
a positive voltage).
|
||||
This means the junction of R1 R3 is always +ve.
|
||||
This means the input voltage `+V2' could be lower than this.
|
||||
This means R3 R4 is not a potential divider, with R4 being on the positive side.
|
||||
This means R3 R4 is not a fixed potential divider, with R4 being on the positive side.
|
||||
It could be on either polarity (i.e. the other way around R4 could be the negative side).
|
||||
Here it is more intuitive to model the resistors not as a potential divider, but individually.
|
||||
%This means we are either going to
|
||||
@ -954,12 +978,13 @@ We now create a derived component to represent the circuit in figure~\ref{fig:ci
|
||||
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
|
||||
|
||||
|
||||
Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag})
|
||||
We draw a directed graph (figure~\ref{fig:circuit1_dag})
|
||||
of the failure modes and derived components.
|
||||
%
|
||||
Using this we can trace any top level fault back to
|
||||
a component failure mode that could have caused it.
|
||||
In fact we can re-construct an FTA diagram from the information in this graph.
|
||||
We merely have to choose a top level event and work down using $XOR$ gates.
|
||||
a component failure mode that could have caused it\footnote{ In fact we can
|
||||
re-construct an FTA diagram from the information in this graph.
|
||||
We merely have to choose a top level event and work down using $XOR$ gates.}.
|
||||
|
||||
This circuit performs poorly from a safety point of view.
|
||||
Its failure modes could be indistinguishable from valid readings (especially
|
||||
@ -973,13 +998,14 @@ when it becomes a V2 follower).
|
||||
\label{fig:circuit1_dag}
|
||||
\end{figure}
|
||||
|
||||
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is currently impossible to detect---
|
||||
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
|
||||
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508
|
||||
terminology is called an undetectable fault.
|
||||
%
|
||||
Were this failure to have safety implications this FMMD analysis will have revealed
|
||||
the un-observability and prompt re-design of this
|
||||
the un-observability and would likely prompt re-design of this
|
||||
circuit\footnote{A typical way to solve an un-observability such as this is
|
||||
to periodically switch test signals in place of the input signal}
|
||||
to periodically switch in test signals in place of the input signal.}
|
||||
.
|
||||
|
||||
\clearpage
|
||||
@ -1030,7 +1056,7 @@ read its output signal.
|
||||
However, from a failure mode perspective we can analyse it in a very similar way
|
||||
to a potential divider (see section~\ref{potdivfmmd}).
|
||||
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
|
||||
We will consider the latter type for this analysis.
|
||||
We will consider the worst case two failure mode model for this analysis.
|
||||
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
|
||||
|
||||
|
||||
@ -1309,7 +1335,7 @@ This consists of a resistor and a capacitor. We already have failure mode models
|
||||
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
|
||||
is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different.
|
||||
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
|
||||
|
||||
Our functional group for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$.
|
||||
|
||||
\begin{table}[h+]
|
||||
\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table
|
||||
@ -1331,9 +1357,9 @@ We have to analyse this circuit from the perspective of it being a {\em phase~sh
|
||||
% PHS45
|
||||
|
||||
|
||||
$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$
|
||||
$$ fm (G_0) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$
|
||||
|
||||
$$ CC(PHS45) = 4.1 = 4 $$
|
||||
$$ CC(G_0) = 4.1 = 4 $$
|
||||
|
||||
\subsection{Non Inverting Buffer: NIBUFF.}
|
||||
|
||||
@ -1343,7 +1369,7 @@ We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this g
|
||||
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
|
||||
|
||||
Because we obtain the failure modes for $NIBUFF$ from the literature,
|
||||
its comparison complexity is zero.
|
||||
its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort.
|
||||
$$ CC(NIBUFF) = 0 $$
|
||||
%\subsection{Forming a functional group from the PHS45 and NIBUFF.}
|
||||
|
||||
@ -1360,11 +1386,14 @@ Initially we use the first identified {\fgs} to create our model without further
|
||||
|
||||
\subsection{FMMD Analysis using initially identified functional groups}
|
||||
|
||||
Our functional group for this analysis can be expressed thus:
|
||||
$$ G^1_0 = PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} .$$
|
||||
|
||||
\begin{figure}[h+]
|
||||
\centering
|
||||
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
|
||||
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
|
||||
\caption{Bubba Oscillator: One final large functional group.}
|
||||
\caption{Bubba Oscillator: One large functional group using the initial functional groups to model oscillator.}
|
||||
\label{fig:poss1finalbubba}
|
||||
\end{figure}
|
||||
|
||||
@ -1433,7 +1462,7 @@ $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$
|
||||
For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
|
||||
$$ CC = 28.8 = 224$$
|
||||
|
||||
To obtain the total comparison complexity $TCC$, we need to add the complexity from the
|
||||
To obtain the total comparison complexity ($TCC$), we need to add the complexity from the
|
||||
{\dcs} that $BubbaOscillator$ was built from.
|
||||
|
||||
$$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
|
||||
@ -1442,9 +1471,11 @@ $$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
|
||||
%$3.4=12$ from this result, because the results from $BUFF45$ have been used four times.
|
||||
Traditional FMEA would have lead us to a much higher comparison complexity
|
||||
of $468$ failure modes to check against components.
|
||||
The analysis here appears top-heavy; we should be able to refine the model more
|
||||
However, the analysis here appears top-heavy; we should be able to refine the model more
|
||||
and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully
|
||||
this should lead a further reduction in the complexity comparison figure.
|
||||
By de-creasing the size of the modules with further refinement,
|
||||
we may also discover new derived components that may be of use for other analyses in the future.
|
||||
|
||||
|
||||
|
||||
@ -1693,13 +1724,16 @@ a mixed analogue and digital feedback circuit.
|
||||
A summing junction and integrator is used to compare the negative feedback
|
||||
signal with the input.
|
||||
%
|
||||
The output of the integrator is digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
|
||||
which acts as a comparator, and fed to the D type flip flop.
|
||||
The output of the integrator is converted to a digital level (by IC2)
|
||||
%digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
|
||||
%which acts as a comparator,
|
||||
and fed to the D type flip flop.
|
||||
%
|
||||
The output of the flip flop forms a bit pattern representing the value
|
||||
of the input voltage.
|
||||
%
|
||||
The output of the flip flop, is now level converted to an analogue signal
|
||||
The output of the flip flop is also routed to the feedback.
|
||||
It is level converted to an analogue signal
|
||||
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
|
||||
and fed into the summing integrator completing the negative feedback loop.
|
||||
|
||||
@ -1743,6 +1777,7 @@ This can be our first {\fg} and we analyse it in table~\ref{tbl:suml=j}.
|
||||
$$G^0_1 = \{R1, R2 \}$$
|
||||
|
||||
\begin{table}[h+]
|
||||
\center
|
||||
\caption{R1,R2 Summing Junction: Failure Mode Effects Analysis} % title of Table
|
||||
\label{tbl:sumj}
|
||||
|
||||
@ -1785,6 +1820,7 @@ The buffered integrator is analysed in table~\ref{tbl:intg}.
|
||||
|
||||
|
||||
\begin{table}[h+]
|
||||
\center
|
||||
\caption{IC1,C1,IC2 Buffered Integrator: Failure Mode Effects Analysis} % title of Table
|
||||
\label{tbl:intg}
|
||||
|
||||
@ -1849,6 +1885,7 @@ We now analyse the {\fg} $G^1$ in table~\ref{tbl:DS2AS}.
|
||||
%$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$
|
||||
|
||||
\begin{table}[h+]
|
||||
\center
|
||||
\caption{$PD^1, IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table
|
||||
\label{tbl:DS2AS}
|
||||
|
||||
@ -2387,7 +2424,7 @@ out by considering the voltage reading over $R_3$ to be relative.
|
||||
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
|
||||
One or other of the load resistors (the one we measure current over) should also
|
||||
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
|
||||
accuracy of $\pm 1\%$. Higher accuracy parts may be specified}
|
||||
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
|
||||
%
|
||||
The \ohms{2k2} loading resistors should have a good temperature co-effecient
|
||||
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
|
||||
@ -3103,7 +3140,7 @@ and traceable way. Each function is subject to pre-conditions (constraints on it
|
||||
post-conditions (constraints on its outputs) and function wide invariants (rules).
|
||||
|
||||
|
||||
\paragraph{Mapping contract `pre-condition' violations to failure modes}
|
||||
\paragraph{Mapping contract `pre-condition' violations to failure modes.}
|
||||
|
||||
A precondition, or requirement for a contract software function
|
||||
defines the correct ranges of input conditions for the function
|
||||
@ -3113,13 +3150,13 @@ For a software function, a violation of a pre-condition is
|
||||
in effect a failure mode of `one of its components'.
|
||||
|
||||
|
||||
\paragraph{Mapping contract `post-condition' violations to symptoms}
|
||||
\paragraph{Mapping contract `post-condition' violations to symptoms.}
|
||||
|
||||
A post condition is a definition of correct behaviour by a function.
|
||||
A violated post condition is a symptom of failure of a function.
|
||||
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function.
|
||||
|
||||
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes}
|
||||
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
|
||||
|
||||
Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology),
|
||||
and to outputs (where they can be considered {failure symptoms} in FMMD terminology).
|
||||
@ -3135,18 +3172,18 @@ Usually, $4mA$ represents a zero or starting value and $20mA$ represents the ful
|
||||
and this is referred to as {\ft} signalling.
|
||||
%
|
||||
{\ft} has a an electrical advantage as well, because the current in a loop is constant~\cite{aoe}[p.20]
|
||||
resistance in the wires between the source and the receiving end is not an issue
|
||||
resistance in the wires between the source and receiving end is not an issue
|
||||
that can alter the accuracy of the signal.
|
||||
%
|
||||
This circuit has many advantages for safety. If the signal becomes disconnected
|
||||
it reads an out of range $0mA$ at the receiving end. This is outside the {\ft} range,
|
||||
and is therefore easy to detect as an error rather than an incorrect value.
|
||||
it reads $0mA$ at the receiving end: as this is outside the {\ft} range
|
||||
it is easy to detect as an error condition rather than an incorrect value.
|
||||
%
|
||||
Should the driving electronics go wrong at the source end, it will usually
|
||||
supply far too little or far too much current, making an error condition easy to detect.
|
||||
supply far too little or far too much current, also making error conditions easy to detect.
|
||||
%
|
||||
At the receiving end, we only require one simple component to convert the
|
||||
current signal into a voltage that we can read with an ADC: the humble resistor!
|
||||
current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor!
|
||||
|
||||
|
||||
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
|
||||
@ -3184,7 +3221,7 @@ Our acceptable voltage range is therefore
|
||||
|
||||
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
|
||||
|
||||
This voltage range forms our input requirement.
|
||||
This voltage range forms our input requirement and can be considered as an invariant condition.
|
||||
%
|
||||
We can now examine a software function that performs a conversion from the voltage read to
|
||||
a per~mil representation of the {\ft} input current.
|
||||
@ -3363,6 +3400,7 @@ With these failure modes, we can analyse our first functional group, see table~\
|
||||
{
|
||||
\tiny
|
||||
\begin{table}[h+]
|
||||
\center
|
||||
\caption{$G_1$: Failure Mode Effects Analysis} % title of Table
|
||||
\label{tbl:cmatv}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user