%%% Appendix for detailed workings out from CH5 \chapter{Detailed FMMD analyses} For clarity the detailed workings of the FMMD analysis stages in many of the examples in chapter 5 have been moved here for reference. \section{Bubba Oscillator FMMD analyses} Detailed workings of the FMMD for the Bubba Oscillator are presented below. \subsection{PHS45 Detailed Analysis} FMEA study of a resistor and capacitor in use as a phase changer. \label{detail:PHS45} \begin{table}[h+] \center \caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table \label{tbl:firstorderlp} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\ % & & \textbf{Low Pass Filter} & & \\ \textbf{Failure} & \textbf{$PHS45$ } & \textbf{Symptom} \\ % \textbf{Derived Component} \\ \textbf{cause} & \textbf{Effect} & \\ % \textbf{Failure Mode} \\ \hline FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\ % 90 degree's of phase shift & & $90\_phaseshift$ FS2: R OPEN & No Signal & $nosignal$ \\ \hline FS3: C SHORT & Grounded,No Signal & $nosignal$ \\ FS4: C OPEN & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline \hline \end{tabular} \end{table} % PHS45 \clearpage \subsection{Bubba Oscillator: One Large Functional Group: Detailed Analysis} \label{detail:BUBOSC1} \begin{table}[h+] \caption{Bubba Oscillator: Failure Mode Effects Analysis: One Large Functional Group} % title of Table \label{tbl:bubbalargefg} \center \begin{tabular}{|| l | l | c | c | l ||} \hline % \textbf{Failure Scenario} & & \textbf{Bubba} & & \textbf{Symptom} \\ % & & \textbf{Oscillator} & & \\ \textbf{Failure} & & \textbf{$BubbaOscillator$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS3: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ FS4: $NIBUFF_1$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS5: $NIBUFF_1$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS6: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline FS7: $PHS45_2$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ FS8: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ %FS10: $PHS45_2$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS9: $NIBUFF_2$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ FS10: $NIBUFF_2$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS11: $NIBUFF_2$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS12: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline FS13: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS15: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\ FS16: $NIBUFF_3$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS17: $NIBUFF_3$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\ FS18: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline FS19: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\ FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ \hline % FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline FS21: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\ FS22: $INVAMP$ $ZEROOUTPUT$ & & signal lost & & $NO_{osc}$ \\ FS23: $INVAMP$ $NOGAIN$ & & signal lost & & $NO_{osc}$ \\ FS24: $INVAMP$ $LOWPASS$ & & signal lost & & $NO_{osc}$ \\ \hline % FS1: $CAP_{10nF}$ $OPEN$ & & osc frequency low & & $LO_{fosc}$ \\ \hline % FS1: $CAP_{10nF}$ $SHORT$ & & osc frequency low & & $LO_{fosc}$ \\ \hline \hline \end{tabular} \end{table} Collecting symptoms from table~\ref{tbl:bubbalargefg} it can be shown that for single failure modes, applying $fm$ to the bubba oscillator gives three failure modes: % $$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$ \clearpage \subsection{BUFF45: Detailed Analysis} \label{detail:BUFF45} \begin{table}[h+] \caption{BUFF45: Failure Mode Effects Analysis} % title of Table \label{tbl:buff45} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{BUFF45} & & \textbf{Symptom} \\ % & & & & \\ \textbf{Failure} & & \textbf{$BUFF45$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\ FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline %FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline FS3: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\ FS4: $NIBUFF_1$ $L_{dn}$ & & output low & & $NO_{signal}$ \\ FS5: $NIBUFF_1$ $N_{oop}$ & & output low & & $NO_{signal}$ \\ FS6: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline \hline \end{tabular} \end{table} collecting symptoms from table~\ref{tbl:buff45}, a derived component $BUFF45$ is created which has the following failure modes: $$ fm (BUFF45) = \{ 0\_phaseshift, NO\_signal .\} % 90\_phaseshift, $$ % \clearpage \subsection{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table \label{detail:PHS135BUFFERED} \begin{table}[h+] \center \caption{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table \label{tbl:phs135buffered} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{PHS135 Buffered} & & \textbf{Symptom} \\ % & & & & \\ \textbf{Failure} & & \textbf{$PHS135BUFFERED$ } & &\textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline %FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline FS3: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline FS5: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\ FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline \hline \end{tabular} \end{table} % % Collecting symptoms from table~\ref{tbl:phs135buffered}, a derived component $PHS135BUFFERED$ is created which has the following failure modes: $$ fm (PHS135BUFFERED) = \{ 90\_phaseshift, NO\_signal .\} % 180\_phaseshift, $$ % \clearpage \subsection{PHS225AMP: Failure Mode Effects Analysis} % title of Table \label{detail:PHS225AMP} \begin{table}[h+] \center \caption{PHS225AMP: Failure Mode Effects Analysis} % title of Table \label{tbl:phs225amp} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{PHS225AMP} & & \textbf{Symptom} \\ % & & \textbf{Oscillator} & & \\ \textbf{Failure} & & \textbf{$PHS225AMP$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $180\_phaseshift$ \\ FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\ \hline % FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $270\_phaseshift$ \\ \hline FS3: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\ FS4: $INVAMP$ $L_{dn}$ & & output low & & $NO_{signal}$ \\ FS5: $INVAMP$ $N_{oop}$ & & output low & & $NO_{signal}$ \\ FS6: $INVAMP$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline \hline \end{tabular} \end{table} % Applying FMMD a derived component $PHS225AMP$ is created which has the following failure modes: $$ fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal .\} % 270\_phaseshift, $$ \clearpage \subsection{BUBBAOSC: Failure Mode Effects Analysis} % title of Table \label{detail:BUBBAOSC} \begin{table}[h+] \center \caption{BUBBAOSC: Failure Mode Effects Analysis} % title of Table \label{tbl:bubba2} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{BUBBAOSC} & & \textbf{Symptom} \\ % & & & & \\ \textbf{Failure} & & \textbf{$BUBBAOSC$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline %FS1: $PHS135BUFFERED$ $180\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\ FS1: $PHS135BUFFERED$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\ FS2: $PHS135BUFFERED$ $90\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ \hline % FS4: $PHS225AMP$ $270\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\ FS4: $PHS225AMP$ $180\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ FS5: $PHS225AMP$ $NO\_signal$ & & lost signal & & $NO_{signal}$ \\ \hline \hline \end{tabular} \end{table} % Collecting symptoms from table~\ref{tbl:bubba2}, a derived component $BUBBAOSC$ is created which has the following failure modes: $$ fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal \} . % LO_{fosc}, $$ \clearpage \section{Sigma Delta Detailed FMMD Analyses} \subsection{FMMD Analysis of Summing Junction Integrator: SUMJINT} \label{detail:SUMJINT} \begin{table}[h+] \center \caption{Summing Junction Integrator($SUMJINT$): Failure Mode Effects Analysis} % title of Table \label{tbl:sumjint} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result} & & \textbf{Symptom} \\ % & & & & \\ \textbf{Failure} & & \textbf{$SUMJINT$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline\hline FS1: $R1$ $OPEN$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\ FS2: $R1$ $SHORT$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\ \hline FS3: $R2$ $OPEN$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\ FS4: $R2$ $SHORT$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\ \hline FS5: $IC1$ $HIGH$ & & output perm. high & & HIGH \\ FS6: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline FS7: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\ FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ \hline FS9: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\ FS10: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline % \hline % FS1: $IC2$ $HIGH$ & & output perm. high & & HIGH \\ % FS2: $IC2$ $LOW$ & & output perm. low & & LOW \\ \hline % FS3: $IC2$ $NOOP$ & & no current drive & & LOW \\ % FS4: $IC2$ $LOW\_SLEW$ & & delayed signal & & LOW\_SLEW \\ \hline % \hline \hline \end{tabular} \end{table} Collecting the {\dc} failure modes of $SUMJINT$ gives $$\{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$ \clearpage \subsection{FMMD Analysis of High Impedance Signal Buffer : HISB} \label{detail:HISB} \begin{table}[h+] \center % \center \caption{ High Impedance Signal Buffer : Failure Mode Effects Analysis} % title of Table \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result} & & \textbf{Symptom} \\ % & & & & \\ \textbf{Failure} & & \textbf{$HISB$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline\hline FS1: $IC2$ $HIGH$ & & output perm. high & & HIGH \\ FS2: $IC2$ $LOW$ & & output perm. low & & LOW \\ FS3: $IC2$ $NOOP$ & & no current to output & & $NOOP$ \\ FS4: $IC2$ $LOW\_SLEW$ & & delay signal & & $LOW\_{SLEW}$ \\ \hline \end{tabular} \end{table} % \hline \clearpage \subsection{FMMD Analysis of Digital level to analogue level converter : DL2AL} \label{detail:DL2AL} \begin{table}[h+] \center \caption{$PD , IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table \label{tbl:DL2AL} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ % & & & & \\ % & & & & \\ \textbf{Failure} & & \textbf{$DS2AL$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline \hline FS1: $PD $ $HIGH$ & & output perm. low & & LOW \\ FS2: $PD $ $LOW$ & & output perm. low & & HIGH \\ \hline \hline FS3: $IC3$ $HIGH$ & & output perm. high & & HIGH \\ FS4: $IC3$ $LOW$ & & output perm. low & & LOW \\ FS5: $IC3$ $NOOP$ & & no current drive & & LOW \\ FS6: $IC3$ $LOW\_{SLEW}$ & & delayed signal & & $LOW\_{SLEW}$ \\ \hline \hline \end{tabular} \end{table} The symptoms of failure, i.e. $\{ LOW, HIGH, LOW\_{SLEW} \}$ are collected. \clearpage \subsection{FMMD Analysis of Digital level to analogue level converter : DL2AL} \label{detail:DIGBUF} \begin{table}[h+] \center \caption{$ IC4, CLOCK $ Digital Buffer: Failure Mode Effects Analysis} % title of Table \label{tbl:digbuf} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ % & & & & \\ % & & & & \\ \textbf{Failure} & & \textbf{$DIGBUF$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ %$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$ \hline \hline FS1: $CLOCK$ $STOPPED$ & & buffer stopped & & STOPPED \\ \hline FS2: $IC4$ $HIGH$ & & buffer stopped & & STOPPED \\ FS3: $IC4$ $LOW$ & & buffer stopped & & STOPPED \\ FS4: $IC4$ $NOOP$ & & no current drive & & LOW \\ \hline \hline \hline \end{tabular} \end{table} The symptoms of failure i.e. $\{ LOW, STOPPED \}$ are collected. \clearpage \subsection{FMMD Analysis of buffered integrating summing junction : BISJ} \label{detail:BISJ} \begin{table}[h+] \caption{ $HISB , SUMJINT$ buffered integrating summing junction($BISJ$): Failure Mode Effects Analysis} % title of Table \label{tbl:BISJ} \begin{tabular}{|| l | l | c | c | l ||} \hline % \textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ % & & & & \\ % & & & & \\ \textbf{Failure} & & \textbf{$BISJ$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline \hline FS1: $SUMJINT$ $V_{in} DOM$ & & output integral of $V_{in}$ & & $OUTPUT STUCK$ \\ FS2: $SUMJINT$ $V_{fb} DOM$ & & output integral of $V_{fb}$ & & $OUTPUT STUCK$ \\ % $$ fm(SUMJUINT^1_0) = \{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$ FS3: $SUMJINT$ $NO\_INTEGRATION$ & & output stuck high or low & & $OUTPUT STUCK$ \\ FS4: $SUMJINT$ $HIGH$ & & output stuck high & & $OUTPUT STUCK$ \\ FS5: $SUMJINT$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline %\hline FS6: $HISB$ $HIGH$ & & output perm. high & & $OUTPUT STUCK$ \\ FS7: $HISB$ $LOW$ & & output perm. low & & $OUTPUT STUCK$ \\ FS8: $HISB$ $ NO\_INTEGRATION$ & & no current drive & & $OUTPUT STUCK$ \\ FS9: $HISB$ $LOW\_SLEW$ & & delayed signal & & $REDUCED\_INTEGRATION$ \\ \hline \hline \end{tabular} \end{table} The symptoms of failure $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$ collected , a {\dc} created called $BISJ$. \clearpage \subsection{FMMD Analysis of flip flop buffered : FFB} \label{detail:FFB} \begin{table}[h+] \caption{ $DIGBUF,DL2AL$ flip flop buffered($FFB$): Failure Mode Effects Analysis} % title of Table \label{tbl:digbuf} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ % & & & & \\ % & & & & \\ \textbf{Failure} & & \textbf{$DIGBUF$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline \hline FS1: $DIGBUF$ $STOPPED$ & & output stuck & & $OUTPUT STUCK$ \\ FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline %\hline FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\ FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\ \hline \hline \hline \end{tabular} \end{table} Symptoms of failure are collected $\{OUTPUT STUCK, LOW\_SLEW\}$ and a {\dc} %at the third level of symptom abstraction called $FFB$ created. \clearpage \subsection{FMMD Analysis of \sd : SDADC} \label{detail:SDADC} \begin{table}[h+] \caption{ $FFB , BISJ $ \sd ($SDADC$): Failure Mode Effects Analysis} % title of Table \label{tbl:sdadc} \begin{tabular}{|| l | l | c | c | l ||} \hline %\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\ % & & & & \\ % & & & & \\ \textbf{Failure} & & \textbf{$FFB$ } & & \textbf{Symptom} \\ \textbf{cause} & & \textbf{Effect} & & \\ \hline \hline FS1: $FFB$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\ FS2: $FFB$ $LOW\_SLEW$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\ % FS3: $IC4^0$ $NOOP$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline %\hline FS3: $BISJ$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\ FS4: $BISJ$ $REDUCED\_INTEGRATION$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\ \hline \hline \end{tabular} \end{table} %\clearpage The symptoms for the \sd are collected $$ \; \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}.$$ A {\dc} is created to represent the failure behaviour of the analogue to digital converter, $SDADC$. $$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$ \fmmdglossADC \clearpage \section{Standalone temperature controller} FMMD analysis tables from chapter~\ref{sec:chap6}. \label{sec:readPt100} \subsection{Read\_Pt100: Failure Mode Effects Analysis} { \tiny \begin{table}[h+] \center \caption{ Read\_Pt100: Failure Mode Effects Analysis} % title of Table \label{tbl:readPt100} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $RI_{VRGE}$ & voltage & $VOLTAGE\_HIGH$ \\ & outside range & \\ \hline FC2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\ & incorrect & \\ \hline \hline FC3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\ & incorrect & \\ \hline FC4: $RADC_{LOW}$ & ADC may read & $VOLTAGE\_LOW$ \\ \hline FC5: post condition fails & software failure & $VAL\_ERR$ \\ in function read\_ADC & read\_ADC & \\ \hline \end{tabular} \end{table} } \fmmdglossADC \clearpage \subsection{ Get\_Temperature: Failure Mode Effects Analysis } { \tiny \begin{table}[h+] \center \caption{ Get\_Temperature: Failure Mode Effects Analysis} % title of Table \label{tbl:gettemperature} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $Pt100:Voltage\_High$ & Pt100 voltage too high & Pt100\_out\_of\_range \\ & Pt100\_higher\_voltage & \\ & OR Pt100\_current & \\ \hline FC2: $Pt100:Voltage\_Low$ & Pt100 voltage too low & Pt100\_out\_of\_range \\ & Pt100\_lower\_voltage & \\ & OR Pt100\_current & \\ \hline FC3: $Pt100\_high\_low\_mismatch$ & temperature can be calculated & Pt100\_out\_of\_range \\ & from either high or low & \\ & reading, but should correlate & \\ \hline % FC4: $Pt100\_current$ & the current applied is & Pt100\_out\_of\_range \\ % & necessary to calculate resistance, & \\ % & but should be within given bounds & \\ \hline % % FC4: $Pt100:VAL\_ERR$ & could cause an out of & temp\_incorrect\\ & range error, but may also & \\ & cause us to read an & \\ & incorrect temperature & \\ \hline FC5: post condition fails & software failure & temp\_incorrect \\ in function convert\_ADC\_to\_T & convert\_ADC\_to\_T & \\ \hline \hline \end{tabular} \end{table} } \clearpage \subsection{ GetError: Failure Mode Effects Analysis } { \tiny \begin{table}[h+] \center \caption{ GetError: Failure Mode Effects Analysis} % title of Table \label{tbl:geterror} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $ Pt100\_out\_of\_range $ & pre-condition violated & KnownIncorrectErrorValue \\ & observable/detectable & \\ & failure mode & \\ \hline FC2: $temp\_incorrect$ & pre-condition violated & IncorrectErrorValue \\ & unobservable & \\ & undetectable failure mode & \\ \hline FC3: post condition fails & software failure & IncorrectErrorValue \\ in function determine\_set\_point\_error & determine\_set\_point\_error & \\ \hline \end{tabular} \end{table} } \clearpage \subsection{PID: Failure Mode Effects Analysis} { \tiny \begin{table}[h+] \center \caption{ PID: Failure Mode Effects Analysis} % title of Table \label{tbl:pidfunction} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $ KnownIncorrectErrorValue $ & pre-condition violated & KnownControlValueErrorV \\ & observable/detectable & \\ & failure mode & \\ \hline FC2: $ IncorrectErrorValue $ & pre-condition violated & IncorrectControlErrorV \\ & unobservable & \\ & undetectable failure mode & \\ \hline FC3: post condition fails & software failure & IncorrectControlErrorV \\ in function PID & PID & \\ \hline \end{tabular} \end{table} } \clearpage \subsection{ HeaterOutput: Failure Mode Effects Analysis } { \tiny \begin{table}[h+] \center \caption{ HeaterOutput: Failure Mode Effects Analysis} % title of Table \label{tbl:heateroutput} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $ PWM stuck HIGH $ & pre-condition violated & HeaterOnFull \\ & PWM module not working & \\ \hline FC2: $ PWM stuck LOW $ & pre-condition violated & HeaterOff \\ & PWM module not working & \\ \hline FC3: HEATER $SHORT$ & heating element resistor & HeaterOff \\ & SHORT no heating effect & \\ \hline FC4: HEATER $OPEN $ & heating element resistor & HeaterOff \\ & OPEN no heating effect & \\ \hline FC5: $ output\_control$ post & The software supplies the wrong & HeaterOutputIncorrect \\ condition failure & value to the PWM register & \\ \hline \end{tabular} \end{table} } \clearpage \subsection{ LEDOutput: Failure Mode Effects Analysis } { \tiny \begin{table}[h+] \center \caption{ LEDOutput: Failure Mode Effects Analysis} % title of Table \label{tbl:ledoutput} \begin{tabular}{|| l | c | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: $ Temp LED fails $ & LED will not light & FailureIndicated \\ & & \\ \hline FC2: $ Processor LED fails $ & LED will not light & FailureIndicated \\ & & \\ \hline FC3: $ PWM LED fails $ & LED will not light & FailureIndicated \\ & & \\ \hline FC4: GPIO stuck HIGH & LED permanently OFF & FailureIndicated \\ \hline FC5: GPIO stuck Low & LED permanently ON & FailureIndicated \\ \hline FC6: Software SetLEDs & Incorrect Indication & IndicationError \\ fails to set outputs correctly & Post condition failure & \\ \hline \end{tabular} \end{table} } \clearpage \subsection{ Standalone temperature controller: Failure Mode Effects Analysis} { \tiny \begin{table}[h+] \center \caption{Standalone temperature controller: Failure Mode Effects Analysis} % title of Table \label{tbl:pid} \begin{tabular}{|| l | l | l ||} \hline % \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\ % \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline \hline \textbf{Failure} & \textbf{Failure } & \textbf{Symptom} \\ \textbf{cause} & \textbf{Effect} & \\ \hline FC1: PID KnownControlValueError & As error is detectable & ControlFailureIndicated \\ & error can be indicated & \\ \hline FC2: PID IncorrectControlerrorV & undetectable failure: & ControlFailure \\ & PID will not control properly & \\ \hline FC3: HeaterOutput & Heater will constantly & ControlFailureIndicated \\ HeaterOnFULL & apply maximum power & \\ \hline FC4: HeaterOutput & no power & ControlFailureIndicated \\ HeaterOFF & supplied to heater & \\ \hline FC4: HeaterOutput & incorrect power levels & ControlFailure \\ HeaterOutputIncorrect & applied to heater & \\\hline FC5: LEDOutput & failure of LED system & KnownIndicationError \\ FailureIndicated & where failure is detectable & \\ \hline FC6: LEDOutput & failure of LED system & UnknownIndicationError \\ IndicationError & where failure is undetectable & \\ \hline %% PROM\_FAULT, RAM\_FAULT, CPU\_FAULT, ALU\_FAULT, CLOCK\_STOPPED FC7: micro-controller & un-defined behaviour & ControlFailure \\ PROM\_FAULT & & \\ \hline FC9: micro-controller & un-defined behaviour & ControlFailure \\ RAM\_FAULT & & \\ \hline FC10: micro-controller & un-defined behaviour & ControlFailure \\ CPU\_FAULT & & \\ \hline FC11: micro-controller & incorrect arithmetic & ControlFailure \\ ALU\_FAULT & performed in processing & \\ \hline FC12: micro-controller & processor will not run & ControlFailureIndicated \\ CLOCK\_STOPPED & indicator leds will not flash & \\ \hline FC8: monitor: & postcondition fails & ControlFailure \\ software fails & & \\ \hline \hline \end{tabular} \end{table} } \clearpage \subsection{Statistics and FMMD: Pt100 example for single and double failures} \label{detailed:Pt100stats} \paragraph{Pt100: Single Failures and statistical data.} %Mean Time to Failure} \frategloss From an earlier example, the model for the failure mode behaviour of the Pt100 circuit, {\bc} {\fm} statistics are added to determine the probability of symptoms of failure. % The DOD electronic reliability of components document MIL-HDBK-217F~\cite{mil1991} gives formulae for calculating the %$\frac{failures}{{10}^6}$ ${failures}/{{10}^6}$ % looks better in hours for a wide range of generic components \footnote{These figures are based on components from the 1980's and MIL-HDBK-217F can give conservative reliability figures when applied to modern components}. % Using the MIL-HDBK-217F %~\cite{mil1991} specifications for resistor and thermistor failure statistics, the reliability for the Pt100 example (see section~\ref{sec:Pt100}) is calculated below. % % \paragraph{Resistor FIT Calculations.} % The formula given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor is reproduced in equation \ref{resistorfit}. The meanings and values assigned to its co-efficients are described in table \ref{tab:resistor}. \fmmdglossFIT \fmodegloss % \begin{equation} % fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E \label{resistorfit} \end{equation} \begin{table}[ht] \caption{Fixed film resistor Failure In Time (FIT) assessment.} % title of Table \centering % used for centering table \begin{tabular}{||c|c|l||} \hline \hline \em{Parameter} & \em{Value} & \em{Comments} \\ & & \\ \hline \hline ${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline ${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline ${\pi}_E$ & 1.0 & benign ground environment\\ \hline \hline \hline \end{tabular} \label{tab:resistor} \end{table} \frategloss Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor} give the following failures in ${10}^6$ hours: \begin{equation} 0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours} \label{eqn:resistor} \end{equation} While MIL-HDBK-217F gives MTTF for a wide range of common components, it does not specify how the components will fail (in this case OPEN or SHORT). % Some standards, notably EN298 only consider most types of resistor as failing in OPEN mode. %FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses. % FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011 This example compromises and uses a 9:1 OPEN:SHORT ratio, for resistor failure. % Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED in the other 10\%. A standard fixed film resistor, for use in a benign environment, non military specification at temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$) hours of operation (see equation \ref{eqn:resistor}). In EN61508 terminology, this figure is referred to as a Failure in Time FIT\footnote{FIT values are measured as the number of failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the FIT number the more reliable the component.}. % The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}. % \begin{equation} % fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E \label{thermistorfit} \end{equation} % \begin{table}[ht] \caption{Bead type Thermistor Failure in time assessment} % title of Table \centering % used for centering table \begin{tabular}{||c|c|l||} \hline \hline \em{Parameter} & \em{Value} & \em{Comments} \\ & & \\ \hline \hline ${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline %${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline %${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline ${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline ${\pi}_E$ & 1.0 & benign ground environment\\ \hline \hline \hline \end{tabular} \label{tab:thermistor} \end{table} % \begin{equation} 0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours} \label{eqn:thermistor} \end{equation} % Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0. % \frategloss Using the RIAC finding the following (table~\ref{tab:stat_single}) can be created which presents the FIT values for all single failure modes. %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}} \fmmdglossFIT % \begin{table}[h+] \caption{Pt100 FMEA Single // Fault Statistics} % title of Table \centering % used for centering table \begin{tabular}{||l|c|c|l|l||} \hline \hline \textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\ \textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\ % R & wire & res + & res - & description \hline \hline TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline \hline TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline \hline TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\ TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline \hline \end{tabular} \label{tab:stat_single} \end{table} % \frategloss % The FIT for the circuit as a whole is the sum of MTTF values for all the test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of about $\approx 360$ years per circuit. % A probabilistic tree can now be drawn, with a FIT value for the Pt100 circuit and FIT values for all the component fault modes from which it was calculated. % From this it can be seen that the most likely fault is the thermistor going OPEN. % This circuit is around 10 times more likely to fail in this way than in any other. % If a more reliable temperature sensor was required, this would probably be the fault~mode scrutinised first. % \frategloss % \begin{figure}[h+] \centering \includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png} % stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327 \caption{Probablistic Fault Tree : Pt100 Single Faults} \label{fig:stat_single} \end{figure} % The Pt100 analysis presents a simple result for single faults. The next analysis phase looks at how the circuit will behave under double simultaneous failure conditions. % % \paragraph{Pt100 Example: Double Failures and statistical data.} Because double simultaneous failure analysis can be performed under FMMD failure rate statistics for double failures can also be determined. % \frategloss % %% %% Need to talk abou the `detection time' %% or `Safety Relevant Validation Time' ref can book %% EN61508 gives detection calculations to reduce %% statistical impacts of failures. %% % Considering the failure modes to be statistically independent the FIT values for all the combinations of failures in the electronic examples from chapter~\ref{sec:chap5} in table~\ref{tab:ptfmea2} can be calculated. % The failure mode of most concern, the undetectable {\textbf{FLOATING}} condition, requires that resistors $R_1$ and $R_2$ both fail. % Multiplying the MTTF probabilities for these types of resistor failing gives the MTTF for both failing. % The FIT value of 12.42 corresponds to $12.42 \times {10}^{-9}$ failures per hour. % Squaring this gives $ 154.3 \times {10}^{-18} $. % This is an astronomically small MTTF, and so small that it would probably fall below a threshold to sensibly consider. % However, it is very interesting from a failure analysis perspective, because an undetectable fault (at least at this level in the FMMD hierarchy) has been revealed. % This means that should it be required to cope with this fault, a new way of detecting this condition must be engineered, perhaps in higher levels of the system/FMMD hierarchy. % \paragraph{MTTF statistics and FMMD hierarchies.} % In a large FMMD model, system/top level failures can be traced down to {\bc} {\fms}. % To determine the MTTF probability for a system level failure, the MTTF statistics are added for all its possible causes. % Thus even for large FMMD models accurate statistics for electronic sourced failures can be calculated. % %\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}} % \frategloss \fmmdglossFIT \clearpage \subsection{Gnuplot script for hypothetical XFMEA FMMD reasoning distance comparison} \label{sec:gnuplotxfmeafmmdcomp} \begin{verbatim} ##################################################################################### # GNUPLOT SCRIPT to plot XFMEA FMMD reasoning distance # comparisons. # # # Always define floating point explicitly at initialisation, as in 'C', # because otherwise gnuplot treats these as integers. # # number of failure modes per component fm = 3.0 # # number of components in each functional group k = 3.0 # # place the functional group size and failure mode per components # size into a string to use as the graph title # tt = sprintf("reasoning distance comparison for |fg| = %d and |fm| = %d", k, fm) set title tt # a = 0.0 b = 0.0 # # formula for reasoning distance in one level of FMMD # hierarchy (as given by ll) # fmmd(ll)=k**ll * k * fm * (k - 1) # # set up iterative sum in gnuplot syntax # to iterate over FMMD levels # sum(a,b) = (a > b) ? 0 : fmmd(a) + sum(a+1, b) sig_fx(c) = sum(a,c) # # reasoning distance for exhaustive case in FMEA # where ll is the hierarchy level xfmea(ll) = k**(ll+1) * ( k**(ll+1) -1 ) * fm # # set xrange [0:1000] set xlabel "Component count" set ylabel "reasoning distance" set logscale y # set terminal png set output 'xfmea_fmmd_comp.png' plot sig_fx(x**(1/k)), xfmea(x**(1/k)) #!sleep 20 ##################################################################################### \end{verbatim}