107 lines
3.4 KiB
TeX
107 lines
3.4 KiB
TeX
|
|
|
|
|
|
|
|
\ifthenelse {\boolean{paper}}
|
|
{
|
|
\abstract{ This
|
|
paper
|
|
describes how the FMMD methodology can be used to refine
|
|
safety critical designs and identify undetectable faults.
|
|
Used in this way, its is a design aide, giving the user
|
|
the possibility to model a system from the perspective
|
|
of its failure mode behaviour.
|
|
}
|
|
}
|
|
{
|
|
\section{Introduction}
|
|
This chapter
|
|
describes how the FMMD methodology can be used to refine
|
|
safety critical designs and identify undetectable faults.
|
|
Used in this way, its is a design aide, giving the user
|
|
the possibility to model a system from the perspective
|
|
of its failure mode behaviour.
|
|
|
|
|
|
}
|
|
|
|
|
|
\section{How FMMD Analysis can reveal design flaws in failure mode detection }
|
|
|
|
A feature of FMMD analysis is symptom collection. Common symptoms are collected
|
|
after analysis, and this means that the failure modes of the {\fg}
|
|
are examined. The symptoms will be detectable (like a value of of range)
|
|
or undetectable (like a logic state of value being incorrect).
|
|
The `undetectable' failure modes are the most worrying for thesafety critical designer.
|
|
It is these that are, generally the ones that stand out as single
|
|
failure modes. For instance, out of range values, we know we can cope with; they
|
|
are an obvious error condition that will be detected by any modules
|
|
using the {\fg}.
|
|
i
|
|
\subsection{iterative design}
|
|
|
|
By applying FMMD analysis to a {\fg} we can determine which failure
|
|
modes are detectable, and which are undetectable.
|
|
We can then either modifiy the circuit and iteratively
|
|
apply FMMD to the design again, or we could add another {\fg}
|
|
that specifically tests for the undetectable conditions.
|
|
|
|
This
|
|
\ifthenelse {\boolean{paper}}
|
|
{
|
|
paper
|
|
}
|
|
{
|
|
chapter
|
|
}
|
|
describes a milli-volt amplifier, with an inbuilt safety\footnote{The `safety resistor also acts as a potential divider to provide a mill-volt offset}
|
|
resistor. The circuit is analysed and it is found that all but one component failure modes
|
|
are detectable.
|
|
We then design a circuit to test for the `undetectable' failure mode
|
|
and analyse this with FMMD.
|
|
With both {\dcs} we then use them to form a {\fg} which we can call our `self testing milli-volt amplifier'.
|
|
We then analsye the {\fg} and the resultant {\dc} failure modes descussed.
|
|
\section{An example: A Millivolt Amplifier}
|
|
|
|
|
|
\section{FMMD Analysis}
|
|
|
|
\subsection{Undetected Failure Mode: Incorrect Reading}
|
|
|
|
Although statistically, this failure is unlikely (get stats for R short FIT etc from pt100 doc)
|
|
if the reading is considered critical, or we are aiming for a high integrity level
|
|
this may be unacceptable.
|
|
We will need to add some type of detection mechanism to the circuit to
|
|
test $R_{off}$ periodically.
|
|
For instance were we to check $R_off$ every $\tau = 20mS$ work out detection
|
|
allowance according to EN61508.
|
|
|
|
\section{Proposed Checking Method}
|
|
|
|
Were we to switch in a a second resistor in parrallel with the
|
|
safety resistor $R_{safety}$, using a switch (or transistor)
|
|
we could detect the effect on the reading with the potential divider
|
|
according to the following formula.
|
|
|
|
\vspace{10pt}
|
|
Work out a pot div formula, and some typical values
|
|
\vspace{10pt}
|
|
|
|
|
|
\section{FMMD analysis of Safety Addition}
|
|
|
|
|
|
\section{FMMD Hierarchy, with milli-volt amp and safety addition}
|
|
|
|
Draw FMMD hierarchy diagram.
|
|
|
|
\subsection{Analysis of FMMD Derived component `added safety milli-volt amp'}
|
|
|
|
|
|
|
|
\section{conclusions}
|
|
|
|
With safety addition reliability GOES DOWN !
|
|
But safety goes UP !
|
|
Work it out
|