robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

off to juggling, its 20:23

Browse Source
This commit is contained in:
Robin Clark 2011-03-16 20:23:36 +00:00
parent 7b8f2fadf8
commit f8dc65d9bf
1 changed files with 116 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
fmmd_design_aide/fmmd_design_aide.tex
View File

@ -5,51 +5,53 @@ paper
describes how the FMMD methodology can be used to refine describes how the FMMD methodology can be used to refine
safety critical designs and identify undetectable and dormant faults. safety critical designs and identify undetectable and dormant faults.
% %
Its uses an industry standard mill-volt amplifier As a working example, an industry standard mill-volt amplifier, intended for reading thermocouples,
circuit, intended for reading thermocouples. circuit is analysed.
It has an inbuilt safety resistor which allows it It has an inbuilt `safety~resistor' which allows it
to detect the thermocouple becoming disconnected/going OPEN. to detect the thermocouple becoming disconnected/going OPEN.
% %
This circuit is analysed from an FMMD perspective and This circuit is analysed from an FMMD perspective and
and two undetectable failure modes are identified. and two undetectable failure modes are identified.
A `safety check' circuit is then proposed and analysed. %
An additional `safety check' circuit is then proposed and analysed.
This has no undetectable failure modes, but does have one This has no undetectable failure modes, but does have one
`dormant' failure mode. `dormant' failure mode.
% %
This paper shows that once undetectable faults or dormant faults are discovered This paper shows that once undetectable faults or dormant faults are discovered
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. the design can be altered (or have a safety feature added), and the FMMD analysis process can then be re-applied.
This can be an iterative process applied until the This can be an iterative process applied until the
design has an acceptable level safety. % of dormant or undetectable failure modes. design has an acceptable level safety. % of dormant or undetectable failure modes.
% %
Used in this way, its is a design aide, giving the user Used in this way, its is a design aide, giving the user
the possibility to refine/correct a {\dc} from the perspective the possibility to refine a {\dc} from the perspective
of its failure mode behaviour. of its failure mode behaviour.
} }
} }
{ {
\section{Introduction} \section{Introduction}
This chapter This chapter
describes how the FMMD methodology can be used to examine describes how the FMMD methodology can be used to refine
safety critical designs and identify undetectable and dormant faults. safety critical designs and identify undetectable and dormant faults.
% %
Its uses an industry standard mill-volt amplifier As a working example, an industry standard mill-volt amplifier, intended for reading thermocouples,
circuit, intended for reading thermocouples. circuit is analysed.
It has an inbuilt safety resistor which allows it It has an inbuilt `safety~resistor' which allows it
to detect the thermocouple becoming disconnected/going OPEN. to detect the thermocouple becoming disconnected/going OPEN.
% %
This circuit is analysed from an FMMD perspective and This circuit is analysed from an FMMD perspective and
and two undetectable failure modes are identified. and two undetectable failure modes are identified.
A `safety check' circuit is then proposed and analysed. %
An additional `safety check' circuit is then proposed and analysed.
This has no undetectable failure modes, but does have one This has no undetectable failure modes, but does have one
`dormant' failure mode. `dormant' failure mode.
% %
This paper shows that once undetectable faults or dormant faults are discovered This paper shows that once undetectable faults or dormant faults are discovered
the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. the design can be altered (or have a safety feature added), and the FMMD analysis process can then be re-applied.
This can be an iterative process applied until the This can be an iterative process applied until the
design has an acceptable level safety. % of dormant or undetectable failure modes. design has an acceptable level safety. % of dormant or undetectable failure modes.
% %
Used in this way, its is a design aide, giving the user Used in this way, its is a design aide, giving the user
the possibility to refine/correct a {\dc} from the perspective the possibility to refine a {\dc} from the perspective
of its failure mode behaviour. of its failure mode behaviour.
} }
@ -101,8 +103,8 @@ are the symptoms of the {\fg} we derived it from.
} }
% %
\paragraph{Undetectable failure modes.} \paragraph{Undetectable failure modes.}
The symptoms will be detectable (like a value out of range) Within a functional group failure symptoms will be detectable
or undetectable (like a logic state or value being incorrect). or undetectable.
The `undetectable' failure modes understandably, are the most worrying for the safety critical designer. The `undetectable' failure modes understandably, are the most worrying for the safety critical designer.
EN61058~\cite{en61508}, the statistically based failure mode European Norm, using ratios EN61058~\cite{en61508}, the statistically based failure mode European Norm, using ratios
of detected and undetected system failure modes to of detected and undetected system failure modes to
@ -206,12 +208,14 @@ Choosing the common Nickel-Chromium v. Nickel Aluminium `K' type thermocouple,
Multiplying these by 184 and adding the 1.86mV offset gives Multiplying these by 184 and adding the 1.86mV offset gives
342.24mV and 2563.12mV. This is now in a suitable range to be read by 342.24mV and 2563.12mV. This is now in a suitable range to be read by
an analogue digital converter, which will have a voltage span an analogue digital converter, which will have a voltage span
typically between 3.3V and 5V on modern micro-controllers/ADC (Analogue Digital Converter) chips. typically between 3.3V and 5V~\cite{pic18f2523}.% on modern micro-controllers/ADC (Analogue Digital Converter) chips.
Note that this also leaves a margin or error on both sides of the range. Note that this also leaves a margin or error on both sides of the range.
If the thermocouple were to become colder than {{0}\oc} it would supply If the thermocouple were to become colder than {{0}\oc} it would supply
a negative voltage, which would subtract from the offset. a negative voltage, which would subtract from the offset.
At around {{-47}\oc} the amplifier output would be zero; At around {{-47}\oc} the amplifier output would be zero;
but anything under 342.24mV is considered out of range. but anything under say 10mV is considered out of range\footnote{We need some negative range
to cope with cold junction compensation~\cite{aoe},
which is a subject beyond the scope of this paper}.
Thus the ADC can comfortably read out of range values Thus the ADC can comfortably read out of range values
but controlling software can determine it as invalid. but controlling software can determine it as invalid.
Similarly anything over 2563.12mV would be considered out of range Similarly anything over 2563.12mV would be considered out of range
@ -284,8 +288,8 @@ if the reading is considered critical, or we are aiming for a high integrity lev
this may be unacceptable. this may be unacceptable.
We will need to add some type of detection mechanism to the circuit to We will need to add some type of detection mechanism to the circuit to
test $R_{off}$ periodically. test $R_{off}$ periodically.
For instance were we to check $R_off$ every $\tau = 20mS$ work out detection %For instance were we to check $R_{off}$ every $\tau = 20mS$ work out detection
allowance according to EN61508~\cite{en61508}. %allowance according to EN61508~\cite{en61508}.
\section{Proposed Checking Method} \section{Proposed Checking Method}
@ -298,7 +302,7 @@ With the new resistor switched in we would expect
the voltage added by the potential divider the voltage added by the potential divider
to increase. to increase.
The circuit in figure \ref{fig:mvamp2} shows an FET transistor The circuit in figure \ref{fig:mvamp2} shows an bi-polar transistor % yes its menally ill and goes on mad shopping spreees etc
controlled by the `test line' connection, which can switch in the resitor R36 controlled by the `test line' connection, which can switch in the resitor R36
also with a value of \ohms{820}. also with a value of \ohms{820}.
@ -357,7 +361,7 @@ and the reading is assumed to be valid.
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|l|c|l|c||} \begin{tabular}{||l|l|c|l|c||}
\hline \hline \hline \hline
\textbf{test line } & \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ \textbf{test line } & \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \\ %\textbf{MTTF} \\
\textbf{status} & \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\ \textbf{status} & \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description % R & wire & res + & res - & description
\hline \hline
@ -373,16 +377,16 @@ $\overline{TEST\_LINE}$ OFF & TC:2 $R36$ OPEN & dormant failure
\hline \hline
% %
%% TR1 OFF so R36 should be in series. Because TR1 is ON because it is faulty, R36 is not in series %% TR1 OFF so R36 should be in series. Because TR1 is ON because it is faulty, R36 is not in series
$\overline{TEST\_LINE}$ LINE ON & TC:3 $TR1$ ALWAYS ON & No added resistance & NO TEST EFFECT & XX 1.38 \\ \hline $\overline{TEST\_LINE}$ LINE ON & TC:3 $TR1$ ALWAYS ON & No added resistance & NO TEST EFFECT & 3 \\ \hline
%% %%
%% TR1 ON R36 should be bypassed by TR1, and it is, but as TR1 is always on we have a dormant failure. %% TR1 ON R36 should be bypassed by TR1, and it is, but as TR1 is always on we have a dormant failure.
$\overline{TEST\_LINE}$ OFF & TC:3 $TR1$ ALWAYS ON & dormant failure & NO SYMPTOM & XX 1.38 \\ \hline $\overline{TEST\_LINE}$ OFF & TC:3 $TR1$ ALWAYS ON & dormant failure & NO SYMPTOM & 3 \\ \hline
%% %%
%% TR1 should be off as overline{TEST\_LINE}$ is ON. As TR1 is faulty it is always off and we have a dormant failure. %% TR1 should be off as overline{TEST\_LINE}$ is ON. As TR1 is faulty it is always off and we have a dormant failure.
$\overline{TEST\_LINE}$ LINE ON & TC:4 $TR1$ ALWAYS OFF & dormant failure & NO SYMPTOM & 1.38 \\ \hline $\overline{TEST\_LINE}$ LINE ON & TC:4 $TR1$ ALWAYS OFF & dormant failure & NO SYMPTOM & 8 \\ \hline
%% %%
%% TR1 should be ON, but is off due to TR1 failure. The resistance R36 will always be in series therefore %% TR1 should be ON, but is off due to TR1 failure. The resistance R36 will always be in series therefore
$\overline{TEST\_LINE}$ OFF & TC:4 $TR1$ ALWAYS OFF & resistance always added & NO TEST EFFECT & 1.38 \\ \hline $\overline{TEST\_LINE}$ OFF & TC:4 $TR1$ ALWAYS OFF & resistance always added & NO TEST EFFECT & 8 \\ \hline
\hline \hline
\end{tabular} \end{tabular}
\label{tab:testaddition} \label{tab:testaddition}
@ -502,23 +506,30 @@ giving an out of range reading from the op-amp output.
We can group `low~reading' with `out~of~range'. We can group `low~reading' with `out~of~range'.
The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state. The `low~reading' will now becomes either `no~test~effect' or `out~of~range' depending on the $\overline{TEST\_LINE}$ state.
%
% NB: the calculate MTTF here we have to traverse down the DAG
% adding XOR conditions and multiplying AND conditions
% 16MAR2011
%
\begin{table}[h+] \begin{table}[h+]
\caption{Testable Milli Volt Amplifier Single Fault FMMD} % title of Table \caption{Testable Milli Volt Amplifier Single Fault FMMD} % title of Table
\centering % used for centering table \centering % used for centering table
\begin{tabular}{||l|c|l|c||} \begin{tabular}{||l|c|l|c||}
\hline \hline \hline \hline
\textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \\ % \textbf{MTTF} \\
\textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\ \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description % R & wire & res + & res - & description
\hline \hline
\hline \hline
TC:1 $testcircuit$ & open potential divider & Out of range & XX 1.38 \\ \hline TC:1 $testcircuit$ & open potential divider & Out of range & \\ \hline % XX 1.38 \\ \hline
\hline \hline
TC:2 $testcircuit$ & no test effect & no test effect & XX 1.38 \\ \hline TC:2 $testcircuit$ & no test effect & no test effect & \\ \hline % XX 1.38 \\ \hline
\hline \hline
TC:3 $mvamp$ & out of range & Out of Range & XX 1.38 \\ TC:3 $mvamp$ & out of range & Out of Range & \\ \hline % XX 1.38 \\
\hline \hline
TC:4 $mvamp$ & low reading & Out of range \& no test effect & XX 1.38 \\ TC:4 $mvamp$ & low reading & Out of range \& no test effect & \\ \hline % XX 1.38 \\
\hline \hline
\end{tabular} \end{tabular}
@ -598,6 +609,78 @@ and well within 50\% of its maximum voltage. We can also assume a benign
temperature environment of $ < 60^{o}C$. temperature environment of $ < 60^{o}C$.
MIL-HDBK-217F\cite{mil1992}[6-25] gives an exmaple MIL-HDBK-217F\cite{mil1992}[6-25] gives an exmaple
transistor in these environmental conditions, and assigns an FIT value of 11. transistor in these environmental conditions, and assigns an FIT value of 11.
%
The RAC failure mode distributuions manual~\cite{fmd91}[2-25] entry for
bi-polar transistors, gives a 0.73 probability of them failing shorted, and a 0.23 probability of them failing OPEN.
%
For this exmaple, we can therefore use a FIT value of 8 ($0.73 \times 11$) the transistor failing
SHORT and a FIT of 3 ($0.27 \times 11$) failing OPEN.
\subsection{Resistors}
\ifthenelse {\boolean{paper}}
{
The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings
and values assigned to its co-efficients are described in table \ref{tab:resistor}.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\fmodegloss
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
\label{resistorfit}
\end{equation}
\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}
Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:
\begin{equation}
0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours}
\label{eqn:resistor}
\end{equation}
While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses.
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example
compromises and uses a 90:10 ratio, for resistor failure.
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to 60\oc is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}).
This figure is referred to as a FIT\footnote{FIT values are measured as the number of
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the
FIT number the more reliable the fault~mode} Failure in time.
}
{ % CHAPTER
Resistors for this example are considered to have a FIT of 13.8, and are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
This is described in detail with supporting references in \ref{resistorfit}.
}
\section{Conclusions} \section{Conclusions}
@ -605,14 +688,12 @@ With the safety addition the undetectable failure mode of \textbf{low~reading}
disappears. disappears.
However, the overall reliability though goes down ! However, the overall reliability though goes down !
This is simply because we have more components that {\em can} fail. This is simply because we have more components that {\em can} fail.
%% Safety vs. reliability paradox. %% Safety vs. reliability paradox.
%The sum of the MTTF's for the original circuit is DAH, and for the new one
The sum of the MTTF's for the original circuit is DAH, and for the new one %DAH.
DAH. The circuit is arguably safer now The circuit is arguably safer now
but statistically less reliable. but statistically less reliable.
\paragraph{Practical side effect of checking for thermocouple disconnection} \paragraph{Practical side effect of checking for thermocouple disconnection}
Because the potential divider provides an offset as a side effect of detecting a disconnection Because the potential divider provides an offset as a side effect of detecting a disconnection