\ifthenelse {\boolean{paper}} { \abstract{ This paper describes how the FMMD methodology can be used to refine safety critical designs and identify undetectable faults. Used in this way, its is a design aide, giving the user the possibility to model a system from the perspective of its failure mode behaviour. } } { \section{Introduction} This chapter describes how the FMMD methodology can be used to examine safety critical designs and identify undetectable faults. Used in this way, its is a design aide, giving the user the possibility to refine/correct a {\dc} from the perspective of its failure mode behaviour. } \section{How FMMD Analysis can reveal design flaws in failure mode detection } A feature of FMMD analysis is the collection of components into a {\fg}, which is then analysed w.r.t. its failure mode behaviour. symptom collection. From the failure mode behaviour of the {\fg} common symptoms are collected. These common symptoms are in effect the failure mode behaviour of the {\fg} viewed as a single entity, or a `black box' component. From the analysis of the {\fg} we can created a {\dc}, where the failure modes are the symptoms of the {\fg} we derived it from. The symptoms will be detectable (like a value of of range) or undetectable (like a logic state or value being incorrect). The `undetectable' failure modes are the most worrying for the safety critical designer. %It is these that are, generally the ones that stand out as single %failure modes. For instance, out of range values, we know we can cope with; they are an obvious error condition that will be detected by any modules using the {\dc}. An undetecable failure mode will introduce errors into a SYSTEM. \subsection{Iterative Design} By applying FMMD analysis to a {\fg} we can determine which failure modes of a {\dc} are detectable, and which are undetectable. We can then either modify the circuit and iteratively apply FMMD to the design again, or we could add another {\fg} that specifically tests for the undetectable conditions. This \ifthenelse {\boolean{paper}} { paper } { chapter } describes a milli-volt amplifier (see R18 in figure \ref{fig:mv1}), with an inbuilt safety\footnote{The `safety resistor' also acts as a potential divider to provide a mill-volt offset. An offset is often required to allow for negative readings form the milli-volt source being read} resistor. The circuit is analysed and it is found that all but one component failure modes are detectable. We then design a circuit to test for the `undetectable' failure mode and analyse this with FMMD. With both {\dcs} we then use them to form a {\fg} which we can call our `self testing milli-volt amplifier'. We then analsye the {\fg} and the resultant {\dc} failure modes are discussed. \section{An example: A Millivolt Amplifier} \begin{figure}[h] \centering \includegraphics[width=200pt,bb=0 0 678 690,keepaspectratio=true]{./mv_opamp_circuit.png} % mv_opamp_circuit.png: 678x690 pixel, 72dpi, 23.92x24.34 cm, bb=0 0 678 690 \caption{Milli-Volt Amplifier with Safety/Offset Resistor} \label{fig:mv1} \end{figure} \subsection{Brief Circuit Description} This circuit amplifies a milli-volt input by a gain of $\approx$ 184 ($\frac{150E3}{820}+1$). An offset is applied to the input by R18 and R22 forming a potential divider of $\frac{820}{2.2E6+820}$. Will 5V applied as Vcc this gives an input offset of 1.86mV. So the amplified offset is $\approx 342mV$. We can determine the output of the amplifier by subtracting this amount from the reading. We can also define an acceptable range for the readings. This would depend on the milli-volt source, and also on the detectability of the error volatges. EXPAND \section{FMMD Analysis} \begin{table}[h+] \caption{Milli Volt Amplifier // Single Fault FMMD} % title of Table \centering % used for centering table \begin{tabular}{||l|c|c|l|l||} \hline \hline \textbf{Test} & \textbf{Failure } & \textbf{Symptom } & \textbf{MTTF} \\ \textbf{Case} & \textbf{mode} & \textbf{ } & \textbf{per $10^9$ hours of operation} \\ % R & wire & res + & res - & description \hline \hline TC:1 $R18$ SHORT & Amp plus input high & Out of range & 1.38 \\ \hline TC:2 $R18$ OPEN & No Offset Voltage & Low reading & 12.42\\ \hline \hline TC:3 $R22$ SHORT & No offset voltage & Low reading & 1.38 \\ \hline TC:4 $R22$ OPEN & Amp plus high input & Out of Range & 1.38 \\ \hline \hline TC:5 $R26$ SHORT & No gain from amp & Out of Range & 1.38 \\ TC:6 $R26$ OPEN & Very high amp gain & Out of Range & 12.42 \\ \hline \hline TC:5 $R30$ SHORT & Very high amp gain & Out of range & 1.38 \\ TC:6 $R30$ OPEN & No gain from amp & Out of Range & 12.42 \\ \hline \hline TC:7 $OP\_AMP$ LATCH UP & high amp output & Out of range & 1.38 \\ TC:8 $OP\_AMP$ LATCH DOWN & low amp output & Out of Range & 12.42 \\ \hline \end{tabular} \label{tab:fmmdaide1} \end{table} The table \ref{tab:fmmdaide1} shows two possible causes for an undetectable error, that of a low reading due to the loss of the offset millivolt signal. Typically this type of circuit would be used to read a thermocouple and this erro symptom, "LOW READING" would mean our plant could beleive that the temperature reading is lower than it actually is. To take an example from a K type thermocouple, the offset of 1.86mV from the potential divider represents about 46oC. \subsection{Undetected Failure Mode: Incorrect Reading} Although statistically, this failure is unlikely (get stats for R short FIT etc from pt100 doc) if the reading is considered critical, or we are aiming for a high integrity level this may be unacceptable. We will need to add some type of detection mechanism to the circuit to test $R_{off}$ periodically. For instance were we to check $R_off$ every $\tau = 20mS$ work out detection allowance according to EN61508. \section{Proposed Checking Method} Were we to switch in a a second resistor in parrallel with the safety resistor $R_{safety}$, using a switch (or transistor) we could detect the effect on the reading with the potential divider according to the following formula. \vspace{10pt} Work out a pot div formula, and some typical values \vspace{10pt} \section{FMMD analysis of Safety Addition} \section{FMMD Hierarchy, with milli-volt amp and safety addition} Draw FMMD hierarchy diagram. \subsection{Analysis of FMMD Derived component `added safety milli-volt amp'} \section{conclusions} With safety addition reliability GOES DOWN ! But safety goes UP ! Work it out