diff --git a/fmmd_design_aide/fmmd_design_aide.tex b/fmmd_design_aide/fmmd_design_aide.tex index 5f519b6..dc5fd36 100644 --- a/fmmd_design_aide/fmmd_design_aide.tex +++ b/fmmd_design_aide/fmmd_design_aide.tex @@ -7,8 +7,8 @@ safety critical designs and identify undetectable and dormant faults. % Once undetecable faults or dormant faults are discovered the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. -This can be an iterative process which can be applied until the -design has an acceptable level of dormant or undetectable failure modes. +This can be an iterative process applied until the +design has an acceptable level safety. % of dormant or undetectable failure modes. % Used in this way, its is a design aide, giving the user the possibility to refine/correct a {\dc} from the perspective @@ -24,7 +24,7 @@ safety critical designs and identify undetectable and dormant faults. Once undetecable faults or dormant faults are discovered the design can be altered (or have a safety component added), and the FMMD analysis process re-applied. This can be an iterative process which can be applied until the -design has an acceptable level of dormant or undetectable failure modes. +design has an acceptable level of safety. % dormant or undetectable failure modes. % Used in this way, its is a design aide, giving the user the possibility to refine/correct a {\dc} from the perspective @@ -37,30 +37,48 @@ of its failure mode behaviour. \paragraph{Overview of FMMD Methodology} The principle of FMMD analysis is a four stage process, the collection of components into {\fg}s, -these are analysed w.r.t. their failure mode behaviour, -the failure mode behaviour is then viewed from the {\fg} perspective (i.e. as a symptom of the {\fg}), -the common symptoms are then collected. +which are analysed w.r.t. their failure mode behaviour, +the failure mode behaviour is then viewed from the +{\fg} perspective (i.e. as a symptoms of the {\fg}), +common symptoms are then collected. + % %From the failure mode behaviour of the {\fg} common symptoms are collected. -These common symptoms are in effect the failure mode behaviour of -the {\fg} viewed as a single entity, or a `black box' component. +These common symptoms are % in effect +the failure mode behaviour of +the {\fg} viewed as an % single +entity, or a `black box' component. +% From the analysis of the {\fg} we can create a {\dc}, where the failure modes are the symptoms of the {\fg} we derived it from. +% \paragraph{detectable and undetectable failure modes} The symptoms will be detectable (like a value of of range) or undetectable (like a logic state or value being incorrect). The `undetectable' failure modes are the most worrying for the safety critical designer. %It is these that are, generally the ones that stand out as single %failure modes. -For instance, out of range values, we know we can cope with; they -are an obvious error condition that will be detected by any modules -using the {\dc}. An undetecable failure mode will introduce +For instance, out of range values, are easy to detect by +systems using the {\dc} supplying them. +An undetectable faults are ones that forward incorrect information +where we have no way of validating or testing it. +% we know we can cope with; they +%are an obvious error condition that will be detected by any modules +%using the {\dc}. +% +An undetecable failure mode can introduce serious errors into a SYSTEM. + + + \paragraph{dormant faults} A dormant fault is one which can manifest its-self in conjuction with another failure mode becoming active, or an environmental condition changing (for instance temperature). Some component failure modes may lead to dormant failure modes. +By examining test cases from a functional group against all +input conditions and germane environmental conditions +we can determine the active failure mode conditions. \subsection{Iterative Design Example} @@ -86,7 +104,7 @@ are detectable. We then design a circuit to test for the `undetectable' failure mode and analyse this with FMMD. With both {\dcs} we then use them to form a {\fg} which we can call our `self testing milli-volt amplifier'. -We then analsye the {\fg} and the resultant {\dc} failure modes are discussed. +We then analsye the {\fg} and the resultant {\dc} failure modes/symptoms are discussed. \section{An example: A Millivolt Amplifier} \begin{figure}[h] @@ -162,11 +180,11 @@ we can represent this in an FMMD hierarchy diagram, see figure \ref{fig:mvamp_fm The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable error, that of a low reading due to the loss of the offset millivolt signal. Typically this type of circuit would be used to read a thermocouple -and this erro symptom, "LOW READING" would mean our plant could +and this error symptom, `low\_reading' would mean our plant could beleive that the temperature reading is lower than it actually is. To take an example from a K type thermocouple, the offset of 1.86mV -from the potential divider represents amplified to -$\approx \, 342mV$ would represent $\approx \; 46\,^{\circ}{\rm C}$. +%from the potential divider represents amplified to +would represent $\approx \; 46\,^{\circ}{\rm C}$ \cite{eurothermtables} \cite{aoe}. \clearpage \subsection{Undetected Failure Mode: Incorrect Reading} @@ -182,23 +200,25 @@ allowance according to EN61508. \section{Proposed Checking Method} -Were we to able to switch a second resistor in parrallel with the -safety resistor and switch it out again, we could tet -that it is still functioning correctly. +Were we to able to switch a second resistor in series with the +820R resistor (R22) and switch it out again, we could test +that the safety resistor (R18) still functioning correctly. With the new resistor switched in we would expect the voltage added by the potential divider to increase. -The circuit in figure \ref{fig:mvamp2} shows an NPN transistor -controlled by the `test line' connection, which can switch in the resitor R30 -also with a value of \ohms{2.2M}. +The circuit in figure \ref{fig:mvamp2} shows an FET transistor +controlled by the `test line' connection, which can switch in the resitor R36 +also with a value of \ohms{820}. We could detect the effect on the reading with the potential divider according to the following formula. -The potential divider is now $\frac{820R}{1M1+820R}$ over 5V this gives +%% check figures +The potential divider is now $\frac{820R+820R}{2M2+820R+820R}$ over 5V this gives 3.724mV, amplified by 184 this is 0.685V \adcten{140}. +% The potential divider with the second resistor switched out is $\frac{820R}{2M2+820R}$ over 5V gives 1.86mV, amplified by 184 gives 0.342V \adcten{70}. @@ -210,7 +230,7 @@ we can apply the checking resistor and look for a corresponding change in the reading. Lets us analyse this in more detail to prove that we are indeed checking for -the failure of the safety resistor, and that we are not instroducing +the failure of the safety resistor, and that we are not introducing any new problems. First let us look at the new transistor and resistor and @@ -237,26 +257,31 @@ can be switched on to apply the test parallel resistance, and off to obtain the correct reading. % We must examine each test case from these two perspectives. +For TEST LINE ON the transistor is turned OFF +and we are in a test mode and expect the reading to go up by around \adcten{70}. +For TEST LINE OFF the tranistor is on and R36 is by-passed, +and the reading is assumed to be valid. \begin{table}[h+] \caption{Test Addition Single Fault FMMD} % title of Table \centering % used for centering table -\begin{tabular}{||l|c|l|c||} +\begin{tabular}{||l|l|c|l|c||} \hline \hline - \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ - \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\ + \textbf{test line } & \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ + \textbf{status} & \textbf{Case} & \textbf{mode} & \textbf{ } & \\ % \textbf{per $10^9$ hours of operation} \\ % R & wire & res + & res - & description \hline \hline -ON TC:1 $R36$ SHORT & 5V on test line & reading out of range & 1.38 \\ \hline -OFF TC:1 $R36$ SHORT & N/A & NO SYMPTOM & 1.38 \\ \hline -ON TC:2 $R36$ OPEN & No parallel resistance & No test effect & 12.42\\ \hline -OFF TC:2 $R36$ OPEN & N/A & NO SYMPTOM & 12.42\\ \hline +%% OK TR1 OFF +TEST LINE ON & TC:1 $R36$ SHORT & No added resistance & NO TEST EFFECT & XX 1.38 \\ \hline +TEST LINE OFF & TC:1 $R36$ SHORT & dormant fault & NO SYMPTOM & XX 1.38 \\ \hline +TEST LINE ON & TC:2 $R36$ OPEN & open circuit & OPEN & XX 12.42\\ \hline +TEST LINE OFF & TC:2 $R36$ OPEN & open circuit & OPEN & XX 12.42\\ \hline \hline -ON TC:3 $TR1$ ALWAYS ON & N/A & NO SYMPTOM & 1.38 \\ \hline -OFF TC:3 $TR1$ ALWAYS ON & parallel resistance always & no test effect & 1.38 \\ \hline -ON TC:4 $TR1$ ALWAYS OFF & No parallel resistance & no test effect & 1.38 \\ \hline -OFF TC:4 $TR1$ ALWAYS OFF & N/A & NO SYMPTOM & 1.38 \\ \hline +TEST LINE ON & TC:3 $TR1$ ALWAYS ON & dormant fault & NO SYMPTOM & XX 1.38 \\ \hline +TEST LINE OFF & TC:3 $TR1$ ALWAYS ON & No added resistance & NO TEST EFFECT & XX 1.38 \\ \hline +TEST LINE ON & TC:4 $TR1$ ALWAYS OFF & resistance added failure & NO TEST EFFECT & XX 1.38 \\ \hline +TEST LINE OFF & TC:4 $TR1$ ALWAYS OFF & dormant fault & NO SYMPTOM & XX 1.38 \\ \hline \hline \end{tabular} \label{tab:testaddition} diff --git a/fmmd_design_aide/mv_opamp_circuit2.png b/fmmd_design_aide/mv_opamp_circuit2.png index 31150ef..aa06550 100644 Binary files a/fmmd_design_aide/mv_opamp_circuit2.png and b/fmmd_design_aide/mv_opamp_circuit2.png differ