robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
228f190964
Robin_PHD/submission_thesis/CH5_Examples/copy.tex
Robin Clark 228f190964 S/w spec improved by knowing h/w interface 
failure modes supplied by FMMD
2012-05-13 18:56:15 +01:00

3660 lines
150 KiB
TeX
Raw Blame History

%\clearpage %\pagenumbering{arabic}
\label{sec:chap5}
This chapter demonstrates FMMD applied to
a variety of common electronic circuits.
In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.
\section{Basic Concepts Of FMMD}
The %idea
driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
Traditional FMEA takes part failure modes and then determines what effect each of these
failure modes could have on the system under investigation.
Traditional FMEA, by looking at `part' level failure modes,
involves what we could term a large `reasoning~distance'; that is to say
in a complex system, taking a particular failure mode, of a particular part
and then trying to predict the outcome in the context of an entire system, is
a leap~of~faith. There will be numerous possibilities of effects and side effects on
other components in the system; more than is practically possible to rigorously examine.
To simply trace a simple route from a particular part failure mode to a top level system error/symptom
oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
Fortunately most real-world designs take a modular approach. In Electronics
for instance, commonly used configurations of parts are used to create
amplifiers, filters, potential dividers etc.
%It is therefore natural to collect parts to form functional groups.
It is common design practise in electronics, to use collections of parts in specific configurations
to form well-defined and well-known building blocks.
These commonly used configurations of parts, or {\fgs}, will
also have a specific failure mode behaviour.
We can take a {\fg} and determine its symptoms of failure.
When we have done this we can treat this as a component in its own right.
If we terms `parts' as base~components, components we have determined
from functional groups as derived components, we modularise the FMEA process.
If we start building {\fgs} from derived components we can start to build a modular
hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
As all forms of FMEA are bottom-up processes, we start with the lowest or most basic components/parts.
%and with their failure modes.
% It is worth defining clearly the term part here.
% Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
% ``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''.
% In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'.
% Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
%
%
%
% \paragraph {Definitions: for practical FMMD analysis}
%
% \begin{itemize}
% \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
% \item {\fm} - failure mode - the ways in which a component can fail
% \item {\fg} - a collection of components chosen to perform a particular task
% \item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
% \item {\dc} - a new component derived from an analysed {\fg}
% \end{itemize}
\subsection{Determining the failure modes of components}
\label{sec:determine_fms}
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124].
Typically when choosing components for a design, we look at manufacturers' data sheets,
which describe the environmental ranges and tolerances, and can indicate how a component may fail/behave
under certain conditions or environments.
%
How base components could fail internally, is not of interest to an FMEA investigation.
The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its
modes of failure.
A large body of literature exists which gives guidance for determining component {\fms}.
%
For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined.
%Some standards prescribe specific failure modes for generic component types.
In EN298 failure modes for generic component types are prescribed, or
determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
are examined.
%
FMD-91 is a reference document released into the public domain by the United States DOD
and describes `failures' of common electronic components, with percentage statistics for each failure.
FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation.
FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
component {\fms} suitable for use in FMEA.
A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for
component types but does not detail specific failure modes.
Used in conjunction with FMD-91, we can determine statistics for the failure modes
of component types. The FMEDA process from European standard EN61508~\cite{en61508} for instance,
requires statistics for Meantime to Failure (MTTF)
for all part failure modes.
% One is from the US military document FMD-91, where internal failures
% of components are described (with stats).
%
% The other is EN298 where the failure modes for generic component types are prescribed, or
% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% is applied. These techniques
%
% The FMD-91 entries need, in some cases, some interpretation to be mapped to
% component failure symptoms, but include failure modes that can be due to internal failures.
% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
%
% Could I come in and see you Chris to quickly discuss these.
%
% I hope to have chapter 5 finished by the end of March, chapter 5 being the
% electronics examples for the FMMD methodology.
In this section we look in detail at two common electrical components and examine how
the two sources of information define their failure mode behaviour.
We look at the reasons why some known failure modes % are omitted, or presented in
%specific but unintuitive ways.
%We compare the US. military published failure mode specifications wi
can be found in one source but not in the other and vice versa.
Finally we compare and contrast the failure modes determined for these components
from the FMD-91 reference source and from the guidelines of the
European burner standard EN298.
\subsection{Failure mode determination for generic resistor.}
\label{sec:resistorfm}
%- Failure modes. Prescribed failure modes EN298 - FMD91
\paragraph{Resistor failure modes according to FMD-91.}
The resistor is a ubiquitous component in electronics, and is therefore a prime
example for examining its failure modes.
FMD-91\cite{fmd91}[3-178] lists many types of resistor
and lists many possible failure causes.
For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes:
\begin{itemize}
\item Opened 52\%
\item Drift 31.8\%
\item Film Imperfections 5.1\%
\item Substrate defects 5.1\%
\item Shorted 3.9\%
\item Lead damage 1.9\%
\end{itemize}
This information may be of interest to the manufacturer of resistors, but it does not directly
help a circuit designer.
The circuit designer is not interested in the causes of resistor failure, but to build in contingency
against {\fms} that the resistor could exhibit.
We can determine these {\fms} by converting the internal failure descriptions
to {\fms} thus:
%and map these failure causes to three symptoms,
%drift (resistance value changing), open and short.
\begin{itemize}
\item Opened 52\% $\mapsto$ OPENED
\item Drift 31.8\% $\mapsto$ DRIFT
\item Film Imperfections 5.1\% $\mapsto$ OPEN
\item Substrate defects 5.1\% $\mapsto$ OPEN
\item Shorted 3.9\% $\mapsto$ SHORT
\item Lead damage 1.9\% $\mapsto$ OPEN.
\end{itemize}
The main causes of drift are overloading of components.
This is borne out in entry~\cite{fmd91}[232] for a resistor network where the failure
modes do not include drift.
If we can ensure that our resistors will not be exposed to overload conditions, drift (sometimes called parameter change)
can be reasonably excluded.
\paragraph{Resistor failure modes according to EN298.}
EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91.
EN298 requires that a full FMEA be undertaken, examining all failure modes
of all electronic components~\cite{en298}[11.2 5] as part of the certification process.
%
Annex A of EN298, prescribes failure modes for common components
and guidance on determining sets of failure modes for complex components (i.e. integrated circuits).
EN298~\cite{en298}[Annex A] (for most types of resistor)
only requires that the failure mode OPEN be considered in FMEA analysis.
%
For resistor types not specifically listed in EN298, the failure modes
are considered to be either OPEN or SHORT.
The reason that parameter change is not considered for resistors chosen for an EN298 compliant system, is that they must be must be {\em downrated}.
That is to say the power and voltage ratings of components must be calculated
for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded,
and thus subject to drift/parameter change.
% XXXXXX get ref from colin T
%If a resistor was rated for instance for
%These are useful for resistor manufacturersthey have three failure modes
%EN298
%Parameter change not considered for EN298 because the resistors are down-rated from
%maximum possible voltage exposure -- find refs.
% FMD-91 gives the following percentages for failure rates in
% \label{downrate}
% The parameter change, is usually a failure mode associated with over stressing the component.
%In a system designed to typical safety critical constraints (as in EN298)
%these environmentally induced failure modes need not be considered.
\subsubsection{Resistor Failure Modes}
\label{sec:res_fms}
For this study we will take the conservative view from EN298, and consider the failure
modes for a generic resistor to be both OPEN and SHORT.
i.e.
\label{ros}
$$ fm(R) = \{ OPEN, SHORT \} . $$
\subsection{Failure modes determination for generic operational amplifier}
\begin{figure}[h+]
\centering
\includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg}
% lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261
\caption{Pinout for an LM358 dual OP-AMP}
\label{fig:lm258}
\end{figure}
The operational amplifier (op-amp) is a differential amplifier and is very widely used in nearly all fields of modern analogue electronics.
They are typically packaged in dual or quad configurations---meaning
that a chip will typically contain two or four amplifiers.
For the purpose of example, we look at
a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358}
(see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298.
\paragraph{ Failure Modes of an OP-AMP according to FMD-91 }
%Literature suggests, latch up, latch down and oscillation.
For OP-AMP failures modes, FMD-91\cite{fmd91}{3-116] states,
\begin{itemize}
\item Degraded Output 50\% Low Slew rate - poor die attach
\item No Operation - overstress 31.3\%
\item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier 12.5\%
\item Opened $V_+$ open 6.3\%
\end{itemize}
Again these are mostly internal causes of failure, more of interest to the component manufacturer
than a designer looking for the symptoms of failure.
We need to translate these failure causes within the OP-AMP into {\fms}.
We can look at each failure cause in turn, and map it to potential {\fms}.
\paragraph{OP-AMP failure cause: Poor Die attach}
The symptom for this is given as a low slew rate. This means that the op-amp
will not react quickly to changes on its input terminals.
This is a failure symptom that may not be of concern in a slow responding system like an
instrumentation amplifier. However, where higher frequencies are being processed,
a signal may be lost.
We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
\paragraph{No Operation - over stress}
Here the OP\_AMP has been damaged, and the output may be held HIGH or LOW, or may be effectively tri-stated
, i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation).
%
We can map this failure cause to three {\fms}, $LOW$, $HIGH$, $NOOP$.
\paragraph{Shorted $V_+$ to $V_-$}
Due to the high intrinsic gain of an op-amp, and the effect of offset currents,
this will force the output HIGH or LOW.
We map this failure cause to $HIGH$ or $LOW$.
\paragraph{Open $V_+$}
This failure cause will mean that the minus input will have the very high gain
of the OP-AMP applied to it, and the output will be forced HIGH or LOW.
We map this failure cause to $HIGH$ or $LOW$.
\paragraph{Collecting OP-AMP failure modes from FMD-91}
We can define an OP-AMP, under FMD-91 definitions to have the following {\fms}.
$$fm(OP-AMP) = \{ HIGH, LOW, NOOP, LOW_{slew} \} $$
\paragraph{Failure Modes of an OP-AMP according to EN298}
EN298 does not specifically define OP\_AMPS failure modes; these can be determined
by following a procedure for `integrated~circuits' outlined in
annex~A~\cite{en298}[A.1 note e].
This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios.
We examine these failure scenarios on the dual packaged $LM358$ %\mu741$
and determine its {\fms}.
\paragraph{EN298: Open and shorted pin failure symptom determination technique}
\begin{table}[h+]
\caption{LM358: EN298 Single failure symptom extraction}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\
\hline
& & & & \\ \hline
FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline
FS2: PIN 2 OPEN & & A-input disconnected, & & \\
& & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline
FS3: PIN 3 OPEN & & A+input disconnected, & & \\
& & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline
FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
FS5: PIN 5 OPEN & & B+input disconnected, & & \\
& & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline
FS6: PIN 6 OPEN & & B-input disconnected, & & \\
FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline
FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline
FS8: PIN 8 OPEN & & power to chip & & \\
FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
& & & & \\
& & & & \\
& & & & \\ \hline
FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline
FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\
& & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline
FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline
FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\
& & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline
FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline
FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline
\hline
\end{tabular}
\label{tbl:pd}
\end{table}
%\clearpage
\subsubsection{Failure modes of an OP-AMP}
\label{sec:opamp_fms}
For the purpose of the examples to follow, the op-amp will
have the following failure modes:-
$$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
\subsection{Comparing the component failure mode sources}
The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
The FMD-91 entires for op-amps are not directly usable as
component {\fms} in FMEA or FMMD and require interpretation.
%For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$)
%is missing from the EN298 failure modes set.
% FMD-91
%
% I have been working on two examples of determining failure modes of components.
% One is from the US military document FMD-91, where internal failures
% of components are described (with stats).
%
% The other is EN298 where the failure modes for generic component types are prescribed, or
% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% is applied. These techniques
%
% The FMD-91 entries need, in some cases, some interpretation to be mapped to
% component failure symptoms, but include failure modes that can be due to internal failures.
% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
%
% Could I come in and see you Chris to quickly discuss these.
%
% I hope to have chapter 5 finished by the end of March, chapter 5 being the
% electronics examples for the FMMD methodology.
\clearpage
%%
%% Paragraph using failure modes to build from bottom up
%%
\section{ FMMD overview}
In the next sections we apply FMMD to example electronic circuits.
The basic principles of FMMD are presented here for clarity.
\paragraph{ Creating a fault hierarchy.}
The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc}
level up to the top, or system level, with analysis stages between each
transition to a higher level in the hierarchy.
The first stage is to choose
{\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components.
%These parts all have associated fault modes. A module is a set fault~modes.
From the point of view of failure analysis,
we are not interested in the components themselves, but in the ways in which they can fail.
A {\fg} is a collection of components that perform some simple task or function.
%
In order to determine how a {\fg} can fail,
we need to consider all the failure modes of all its components.
%
By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes,
we can determine its symptoms of failure.
%In fact we can call these
%the symptoms of failure for the {\fg}.
With these symptoms (a set of derived faults from the perspective of the {\fg})
we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways.
%
In other words we have taken a {\fg}, and analysed how
\textbf{it} can fail according to the failure modes of its components, and then
determined the {\fg} failure modes.
\paragraph{Creating a derived component.}
We create a new `{\dc}' which has
the failure symptoms of the {\fg} from which it was derived, as its set of failure modes.
This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}.
%
\paragraph{An example of a {\dc}.}
To give an example of this, we could look at the components that
form, say an amplifier. We look at how all the components within it
could fail and how that would affect the amplifier.
%
The ways in which the amplifier can be affected are its symptoms.
%
When we have determined the symptoms, we can
create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
We can now treat $AMP1$ as a pre-analysed, higher level component.
The amplifier is an abstract concept, in terms of the components.
To a make an `amplifier' we have to connect a a group of components
in a specific configuration. This specific configuration corresponds to
a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
%What this means is the `fault~symptoms' of the module have been derived.
%
%When we have determined the fault~modes at the module level these can become a set of derived faults.
%By taking sets of derived faults (module level faults) we can combine these to form modules
%at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
%to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
%as parts, parts which may now be combined to create new functional groups,
%but as parts at a higher level of fault abstraction.
\paragraph{Building the Hierarchy.}
We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}.
We can bring {\dcs}
together to form functional groups and then create new {\dcs}
at even higher abstraction levels. Eventually we will have a hierarchy
that converges to one top level {\dc}. At this stage we have a complete failure
mode model of the system under investigation.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
\caption{FMMD Hierarchy showing ascending abstraction levels}
\label{fig:treeabslev}
\end{figure}
Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
is shown as a `$\derivec$' symbol.
% \section{Example Analysis: Non-Inverting OPAMP}
% Consider a non inverting op-amp designed to amplify
% a small positive voltage (typical use would be a thermocouple amplifier
% taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts).
%
%
% \begin{figure}[h+]
% \centering
% \includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png}
% % mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143
% \label{fig:mvampcircuit}
% \caption{positive mV amplifier circuit}
% \end{figure}
%
% We can begin by looking for functional groups.
% The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider.
% So we can examine $\{ R1, R2 \}$ as a {\fg}.
%
%
% \subsection{The Resistor in terms of failure modes}
%
% We can now determine how the resistors can fail.
% We consider the {\fms} for resistors to be OPEN and SHORT (see section~\ref{ros}).
% %, i.e.
% %$ fm(R) = \{ OPEN, SHORT \} . $
%
% We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$.
%
%
% We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider.
% We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}).
%
%
% \subsection{Analysing a potential divider in terms of failure modes}
%
% \label{potdivfmmd}
%
%
%
% \begin{figure}[h+]
% \centering
% \includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png}
% % pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241
% \label{fig:pdcircuit}
% \caption{Potential Divider Circuit}
% \end{figure}
%
%
% \begin{table}[h+]
% \caption{Potential Divider: Single failure analysis}
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\
% \hline
% FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\
% FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
% FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\
% FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline
% \hline
% \end{tabular}
% \label{tbl:pd}
% \end{table}
%
% We can now create a {\dc} for the potential divider, $PD$.
%
% $$ fm(PD) = \{ PDLow, PDHigh \}$$
%
% %Let us now consider the op-amp. According to
% %FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
% %latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
%
%
% \subsection{Analysing the non-inverting amplifier in terms of failure modes}
%
% From section~\ref{sec:opamp_fms}
% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
%
%
% We can now form a {\fg} with $PD$ and $OPAMP$.
%
% \begin{figure}
% \centering
% \includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png}
% % non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369
% \label{fig:invampanalysis}
% \end{figure}
%
%
%
%
% \begin{table}[h+]
% \caption{NIAMP: Single failure analysis}
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\
% \hline
% FS1: PD HIGH & & $LOW$ & & $Low$ \\
% FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline
% FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\
% FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\
% FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\
% FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline
%
% \hline
% \end{tabular}
% \label{tbl:pd}
% \end{table}
%
% We can collect symptoms from the analysis and create a derived component
% to represent the non-inverting amplifier $NI\_AMP$.
% We can now express the failure mode behaviour of this type of amplifier thus:
%
% $$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$
%
%
\clearpage
\section{Example Analysis: Inverting OPAMP}
\label{sec:invamp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/invamp.png}
% invamp.png: 378x207 pixel, 72dpi, 13.34x7.30 cm, bb=0 0 378 207
\caption{Inverting Amplifier Configuration}
\label{fig:invamp}
\end{figure}
%This configuration is interesting from methodology pers.
There are two obvious ways in which we can model this circuit:
One is to do this in two stages, by considering the gain resistors to be an inverted potential divider
and then combining it with the OPAMP failure mode model.
The second is to place all three components in a {\fg}.
Both approaches are followed in the next two sub-sections.
\subsection{Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
If we can refine the operational states of the functional group, we can obtain clearer
symptoms.
If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}).
\begin{table}[h+]
\caption{Inverted Potential divider: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Pot Div Effect} & & \textbf{Symptom} \\
\hline
FS1: R1 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline
FS2: R1 OPEN & & $LOW$ & & $PDLow$ \\ \hline
FS3: R2 SHORT & & $LOW$ & & $PDLow$ \\ \hline
FS4: R2 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
\hline
\end{tabular}
\label{tbl:pdneg}
\end{table}
We can form a {\dc} from this, and call it an inverted potential divider $INVPD$.
We can now form a {\fg} from the OP-AMP and the $INVPD$
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\hline
FS1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\
FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamppd}
\end{table}
This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
%The differences are the root causes or component failure modes that
%lead to the symptoms (i.e. the symptoms are the same but causation tree will be different).
$$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
\subsection{Inverting OP-AMP analysing with three components in one {\fg}}
%We can use this for a more general case, because we can examine the
%effects on the circuit for each operational case (i.e. input +ve
%or input -ve), see table~\ref{tbl:invamp}.
%Because symptom collection is defined as surjective (from component failure modes
%to symptoms) we cannot have a component failure mode that maps to two different symptoms (within a functional group).
%Note that here we have a more general symptom $ OUT OF RANGE $ which could mean either
%$HIGH$ or $LOW$ output.
% 08feb2012 bugger considering -ve input. It complicates things.
% maybe do an ac amplifier later at some stage.
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis: 3 components}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\hline
FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\
% FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline
FS2: R1 OPEN & & zero output & & $ LOW $ \\
% FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline
FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\
% FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\
% FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamp}
\end{table}
$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$
%Much more general. OUT OF RANGE symptom maps to many component failure modes.
%Observability problem... system. In fact can we get a metric of how observable
%a system is using the ratio of component failure modes X op states to a symptom ????
%Could further refine this if MTTF stats available for each component failure.
%\clearpage
\subsection{Comparison between the two approaches}
\label{sec:invampcc}
The first analysis looks at an inverted potential divider, analyses its failure modes,
and from this we obtain a {\dc} (INVPD).
We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD.
The second analysis (3 components) has to look at the effects of each failure mode of each resistor
on the op-amp circuit. This is more to think about---or in other words an increase in the complexity of the analysis---than comparing the two known failure modes
from the pre-analysed inverted potential divider. The complexity comparison figures
bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
and for the second analysis a CC of $8.(3-2)=16$.
% CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012
%Again, for the two stage analysis, using equation~\ref{eqn:rd}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
%and for the second analysis a CC of $8.(3-2)=16$.
%If the input voltage can be negative the potential divider
%becomes reversed in polarity.
%This means that detecting which failure mode has occurred from knowing the symptom, has become a more difficult task; or in other words
%the observability of the causes of failure are reduced. Instead of the more specific symptoms $HIGH$ or $LOW$ we
%obtain $OUT OF RANGE$ instead.
\clearpage
\section{Op-Amp circuit 1}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit1001.png}
% circuit1001.png: 420x300 pixel, 72dpi, 14.82x10.58 cm, bb=0 0 420 300
\caption{Circuit 1}
\label{fig:circuit1}
\end{figure}
The amplifier in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$.
It would be desirable to represent this circuit as a derived component called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit.
\subsection{Functional Group: Potential Divider}
For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{potdivfmmd}.
%R1 and R2 perform as a potential divider.
%Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A).
%$$ fm(R) = \{ OPEN, SHORT \}$$
% \begin{table}[ht]
% \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table
% \centering % used for centering table
% \begin{tabular}{||l|c|c|l|l||}
% \hline \hline
% \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\
% \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% % R & wire & res + & res - & description
% \hline
% \hline
% TC1: $R_1$ SHORT & LOW & & LowPD \\
% TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline
% TC3: $R_2$ SHORT & HIGH & & HighPD \\
% TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline
% \hline
% \end{tabular}
% \label{tbl:pdfmea}
% \end{table}
%
% By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived
% component $PD$ to represent the failure mode behaviour
% of a potential divider.
Thus for single failure modes, a potential divider can fail
with $fm(PD) = \{PDHigh,PDLow\}$.
The potential divider is used to program the gain of IC1.
IC1 and PD provide the function of buffering
/amplifying the signal $+V1$.
We can now examine IC1 and PD as a functional group.
\pagebreak[3]
\subsection{Functional Group: Amplifier first stage}
Let use now consider the op-amp. According to
FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
By bringing the $PD$ derived component and the $OPAMP$ into
a functional group we can analyse its failure mode behaviour.
\begin{table}[ht]
\caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain& & AMPLow \\ \hline
TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline
TC5: $PD$ LowPD & Output High & & AMPHigh \\ \hline
TC6: $PD$ HighPD & Output Low : Low Gain& & AMPLow \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$.
We can now create a derived component, $NI\_AMP$, to represent it.
$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} $$
\subsection{The second Stage of the amplifier}
The second stage of this amplifier, following the signal path, is the amplifier
consisting of $R3,R4,IC2$.
This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier.
The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage).
This means the junction of R1 R3 is always +ve.
This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a potential divider, with R4 being on the positive side.
It could be on either polarity (i.e. the other way around R4 could be the negative side).
Here it is more intuitive to model the resistors not as a potential divider, but individually.
%This means we are either going to
%get a high or low reading if R3 or R4 fail.
\begin{table}[ht]
\caption{Second Amplifier $SEC\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain & & AMPLow \\ \hline
TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline
TC5: $R3\_open$ & +V2 follower & & AMPIncorrectOutput\\ \hline
TC6: $R3\_short$ & Undefined & & AMPIncorrectOutput \\
& (impedance of IC1 vs +V2) & & \\ \hline
TC5: $R4\_open$ & High or Low output & & AMPIncorrectOutput \\
& +V2$>$+V1 $\mapsto$ High & & \\
& +V1$>$+V2 $\mapsto$ Low & & \\ \hline
TC6: $R4\_short$ & +V2 follower & & AMPIncorrectOutput \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in 4 ways $\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$.
We can now create a derived component, $SEC\_AMP$, to represent it.
$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} $$
%Its failure modes are therefore the same. We can therefore re-use
%the derived component for $NI\_AMP$
\pagebreak[4]
\subsection{Modelling the circuit}
For the final stage of this we can create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
\begin{table}[ht]
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Dual Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & opamp 2 driven low & & DiffAMPHigh \\
TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & & DiffAMP\_LP \\ \hline
TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & & DiffAMPHigh\\
TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & & DiffAMPLow \\
TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & & DiffAMP\_LP \\ \hline
TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & & DiffAMPIncorrect \\
TC7: $SEC\_AMP$ & $ \neg (V2 - V1) $ & & \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag})
of the failure modes and derived components.
Using this we can trace any top level fault back to
a component failure mode that could have caused it.
In fact we can re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates.
This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially
when it becomes a V2 follower).
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png}
% circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145
\caption{Directed Acyclic Graph of Circuit1 failure modes}
\label{fig:circuit1_dag}
\end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is currently impossible to detect---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508
terminology is called an undetectable fault.
Were this failure to have safety implications this FMMD analysis will have revealed
the un-observability and prompt re-design of this
circuit\footnote{A typical way to solve an un-observability such as this is
to periodically switch test signals in place of the input signal}
.
\clearpage
\section{Op-Amp circuit 2}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002.png}
% circuit2002.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{circuit 2}
\label{fig:circuit2}
\end{figure}
The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
Starting at the input, we have a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267] second order lowpass filter.
The output of this is passed into another Sallen~Key filter -- which although it may have different values
for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use the results.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/blockdiagramcircuit2.png}
% blockdiagramcircuit2.png: 689x83 pixel, 72dpi, 24.31x2.93 cm, bb=0 0 689 83
\caption{Signal Flow through the five pole low pass filter}
\label{fig:blockdiagramcircuit2}
\end{figure}
\paragraph{First Order Low Pass Filter.}
\label{sec:lp}
We begin with the first order low pass filter formed by $R10$ and $C10$.
%
This configuration (or {\fg}) is very commonly
used in electronics to remove unwanted high frequencies/interference
from a signal; Here it is being used as a first stage of
a more sophisticated low pass filter.
%
R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being
that the impedance of the capacitor is lower for higher frequencies.
Thus higher frequencies are attenuated at the point that we
read its output signal.
However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{potdivfmmd}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the latter type for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
\begin{table}[h+]
\caption{FirstOrderLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
& & \textbf{Low Pass Filter} & & \\
\hline
FS1: R10 SHORT & & $No Filtering$ & & $LPnofilter$ \\ \hline
FS2: R10 OPEN & & $No Signal$ & & $LPnosignal$ \\ \hline
FS3: C10 SHORT & & $No Signal$ & & $LPnosignal$ \\ \hline
FS4: C10 OPEN & & $No Filtering$ & & $LPnofilter$ \\ \hline
\hline
\end{tabular}
\end{table}
We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
\paragraph{Addition of Buffer Amplifier: First stage.}
The op-amp IC1 is being used simply as a buffer. By placing it between the next stages
on the signal path, we remove the possibility of unwanted signal feedback.
The buffer is one of the simplest op-amp configurations.
It has no other components, and so we can now form a {\fg}
from the $FirstOrderLP$ and the OP-AMP component.
\begin{table}[ht]
\caption{First Stage LP1: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firststage}
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & LP1High \\
TC2: $OPAMP$ LatchDown & Output Low & & LP1Low \\
TC3: $OPAMP$ No Operation & Output Low & & LP1Low \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & LP1filterincorrect \\ \hline
TC5: $LPnofilter $ & No low pass filtering & & LP1filterincorrect \\
TC6: $LPnosignal $ & No input signal & & LP1nosignal \\ \hline
\hline
\hline
\end{tabular}
\end{table}
From the table~\ref{tbl:firststage} we can see three symptoms of failure of
the first stage of this circuit (i.e. R10,C10,IC1).
We can create a derived component for it, lets call it $LP1$.
$$ fm(LP1) = \{ LP1High, LP1Low, LP1filterincorrect, LP1nosignal \} $$
In terms of the circuit, we have modelled the functional groups $FirstOrderLP$, and
$LP1$. We can represent these on the circuit diagram by drawing contours around the components
on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/circuit2002_LP1.png}
% circuit2002_LP1.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Circuit showing functional groups modelled so far.}
\label{fig:circuit2002_LP1}
\end{figure}
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second.
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & SKLPHigh \\
TC2: $OPAMP$ LatchDown & Output Low & & SKLPLow \\
TC3: $OPAMP$ No Operation & Output Low & & SKLPLow \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & SKLPfilterIncorrect \\ \hline
TC5: R1 OPEN & No input signal & & SKLPfilterIncorrect \\
TC6: R1 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC7: R2 OPEN & No input signal & & SKLPnosignal \\
TC8: R2 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC9: C1 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect\\
TC10: C1 SHORT & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC11: C2 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\
TC12: C2 SHORT & No input signal, low signal & & SKLPnosignal \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:sallenkeylp}
\end{table}
We now can create a derived component to represent the Sallen Key low pass filter, which we can call $SKLP$.
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
\paragraph{A failure mode model of Op-Amp Circuit 2.}
We now have {\dcs} representing the three stages of this filter
and this follows the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
As the signal has to pass though each block/stage
in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg}
in order to get a failure mode model for the whole circuit.
We can index the Sallen Key stages, and these are marked on the ciruit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}.
\begin{figure}[h]+
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png}
% circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Functional Groups in Five Pole Low Pass Filter on schematic}
\label{fig:circuit2002_FIVEPOLE}
\end{figure}
\pagebreak[4]
So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}.
\begin{figure}[h]+
\centering
\includegraphics[width=300pt]{CH5_Examples/circuit2h.png}
% circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603
\caption{FMMD Hierarchy for five pole Low Pass Filter}
\label{fig:circuit2h}
\end{figure}
%\pagebreak[4]
%$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
%$$ fm(LP1) = \{ LP1High, LP1Low, LP1ExtraLowPass, LP1NoLowPass \} $$
\begin{table}[ht]+
\caption{Five Pole Low Pass Filter: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $LP1$ LP1High & signal HIGH & & HIGH \\
TC2: $LP1$ SKLPLow & signal LOW & & LOW \\
TC3: $LP1$ LP1filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC4: $LP1$ LP1nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
TC5: $SKLP_1$ High & signal HIGH & & HIGH \\
TC6: $SKLP_1$ Low & signal LOW & & LOW \\
TC7: $SKLP_1$ filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC8: $SKLP_1$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
TC9: $SKLP_2$ High & signal HIGH & & HIGH \\
TC10: $SKLP_2$ Low & signal LOW & & LOW \\
TC11: $SKLP_2$ filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC12: $SKLP_2$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:fivepole}
\end{table}
We now can create a {\dc} to represent the circuit in figure~\ref{fig:circuit2}, we can call it
$FivePoleLP$ and applying the $fm$ function to it (see table~\ref{tbl:fivepole}) yields $fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}$.
\pagebreak[4]
The failure modes for the low pass filters are very similar, and the propogation of the signal
is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) --
three op-amp driven non-inverting low pass filter elements; It is not suprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ may be less observable.
\clearpage
\section{Op-Amp circuit 3}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit3003.png}
% circuit3003.png: 503x326 pixel, 72dpi, 17.74x11.50 cm, bb=0 0 503 326
\caption{Circuit 3}
\label{fig:circuit3}
\end{figure}
%\clearpage
%\section{Standard Non-inverting OP AMP}
This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37].
The circuit implements an oscillator using four 45 degree phase shifts, and an inverting amplifier to provide
gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift).
From a fault finding perspective this circuit is less than ideal.
The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating.
%The top level failure modes for the FMMD hierarchy bear this out.
%However, FMMD is a bottom -up analysis methodology and we can therefore still identify
%{\fgs} and apply analysis from a failure mode perspective.
%
If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with
($4.4 +10.2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
We now create FMMD models and compare the complexity of FMMD and FMEA.
We start the FMMD process by determining {\fgs}.
We initially identify three types of functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}),
a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer
amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively.
We can use these {\fgs} to describe the circuit in block diagram form with arrows indicating the signal path, in figure~\ref{fig:bubbablock}.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png}
% bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295
\caption{Circuit 3: Functional Group Block Diagram.}
\label{fig:bubbablock}
\end{figure}
We can now analyse each of these {\fgs} and create failure mode models for them, and from these
determine {\dcs}.
\subsection{Inverting Amplifier: INVAMP}
This has been analysed in section~\ref{sec:invamp}.
The inverting amplifier, as a {\dc}, has the following failure modes:
$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$
and has a CC of 10.
\subsection{Phase shifter: PHS45}
This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different.
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
\begin{table}[h+]
\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
& & \textbf{Low Pass Filter} & & \\
\hline
FS1: R SHORT & & 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline
FS2: R OPEN & & No Signal & & $nosignal$ \\ \hline
FS3: C SHORT & & Grounded,No Signal & & $nosignal$ \\ \hline
FS4: C OPEN & & 0 degree's of phase shift & & $0\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
% PHS45
$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$
$$ CC(PHS45) = 4.1 = 4 $$
\subsection{Non Inverting Buffer: NIBUFF.}
The non-inverting buffer functional group, is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
Because we obtain the failure modes for $NIBUFF$ from the literature,
its comparison complexity is zero.
$$ CC(NIBUFF) = 0 $$
%\subsection{Forming a functional group from the PHS45 and NIBUFF.}
% describe what we are doing, a buffered 45 degree phase shift element
\subsection{Bringing the functional Groups Together: FMMD model of the `Bubba' Oscillator.}
We could at this point bring all the {\dcs} together into one large functional
group (see figure~\ref{fig:poss1finalbubba})
or we could try to merge smaller stages.
Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy.
\subsection{FMMD Analysis using initially identified functional groups}
\begin{figure}[h+]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
\caption{Bubba Oscillator: One final large functional group.}
\label{fig:poss1finalbubba}
\end{figure}
\begin{table}[h+]
\caption{Bubba Oscillator: Failure Mode Effects Analysis: One Large Functional Group} % title of Table
\label{tbl:bubbalargefg}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Bubba} & & \textbf{Symptom} \\
& & \textbf{Oscillator} & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS4: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS5: $NIBUFF_1$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS6: $NIBUFF_1$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS8: $PHS45_2$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS9: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS10: $PHS45_2$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS11: $NIBUFF_2$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS12: $NIBUFF_2$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS13: $NIBUFF_2$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS14: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS15: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS16: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS18: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS19: $NIBUFF_3$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS20: $NIBUFF_3$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS21: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS22: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS23: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS25: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\
FS26: $INVAMP$ $ZEROOUTPUT$ & & signal lost & & $NO_{osc}$ \\
FS27: $INVAMP$ $NOGAIN$ & & signal lost & & $NO_{osc}$ \\
FS28: $INVAMP$ $LOWPASS$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS1: $CAP_{10nF}$ $OPEN$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
% FS1: $CAP_{10nF}$ $SHORT$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:bubbalargefg} we can show that for single failure modes, applying $fm$ to the bubba oscillator
returns three failure modes,
$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$
For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
$$ CC = 28.8 = 224$$
To obtain the total comparison complexity $TCC$, we need to add the complexity from the
{\dcs} that $BubbaOscillator$ was built from.
$$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
%As we have re-used the analysis for BUFF45 we could even reasonably remove
%$3.4=12$ from this result, because the results from $BUFF45$ have been used four times.
Traditional FMEA would have lead us to a much higher comparison complexity
of $468$ failure modes to check against components.
The analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully
this should lead a further reduction in the complexity comparison figure.
\clearpage
\subsection{FMMD Analysis using more hierarchical stages}
The example above---from the initial {\fgs}---used one very large functional group to model the circuit.
This mean a quite large comparison complexity for this final stage.
We should be able to determine smaller {\fgs} and refine the model further.
\begin{figure}[h+]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss2finalbubba.png}
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
\caption{Bubba Oscillator: Smaller Functional Groups, One more FMMD hierarchy stage.}
\label{fig:poss2finalbubba}
\end{figure}
%
We take the $NIBUFF$ and $PHS45$
{\dcs} into a {\fg} giving the {\dc} $BUFF45$.
$BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
and with those three, form a $PHS135BUFFERED$
functional group.
$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter.
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.}, form a {\fg}
providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$.
%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$---
Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~\ref{fig:poss2finalbubba})
%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45)
%we can combine three $BUFF45$'s to make
%a $135^{\circ}$ buffer phase shifter (PHS135BUFFERED).
%We can combine a $PHS45$ and a $NIBUFF$ to create
%and an amplifying $225^{\circ}$ phase shifter (PHS225AMP).
% By combining PHS225AMP and PHS135BUFFERED we can create a more modularised hierarchical
% model of the bubba oscillator.
% The proposed hierarchy is shown in figure~\ref{fig:poss2finalbubba}.
\begin{table}[h+]
\caption{BUFF45: Failure Mode Effects Analysis} % title of Table
\label{tbl:buff45}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{BUFF45} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline
FS4: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS5: $NIBUFF_1$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS6: $NIBUFF_1$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:buff45}, we can create a derived component $BUFF45$ which has the following failure modes:
$$
fm (BUFF45) = \{ 90\_phaseshift, 0\_phaseshift, NO\_signal .\}
$$
$$ CC(BUFF45) = 7.1 = 7 $$
We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}.
\begin{table}[h+]
\caption{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs135buffered}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{PHS135 Buffered} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS4: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS5: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS7: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS8: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:phs135buffered}, we can create a derived component $PHS135BUFFERED$ which has the following failure modes:
$$
fm (PHS135BUFFERED) = \{ 90\_phaseshift, 180\_phaseshift, NO\_signal .\}
$$
$$ CC (PHS135BUFFERED) = 3.2 = 6 $$
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
\begin{table}[h+]
\caption{PHS225AMP: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{PHS225AMP} & & \textbf{Symptom} \\
& & \textbf{Oscillator} & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $270\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS4: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS5: $INVAMP$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS6: $INVAMP$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS7: $INVAMP$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:phs225amp}, we can create a derived component $PHS225AMP$ which has the following failure modes:
$$
fm (PHS225AMP) = \{ 270\_phaseshift, 180\_phaseshift, NO\_signal .\}
$$
$$ CC(PHS225AMP) = 7.1 $$
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these.
\begin{table}[h+]
\caption{BUBBAOSC: Failure Mode Effects Analysis} % title of Table
\label{tbl:bubba2}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{BUBBAOSC} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS135BUFFERED$ $180\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS2: $PHS135BUFFERED$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS3: $PHS135BUFFERED$ $90\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ \hline
FS4: $PHS225AMP$ $270\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS5: $PHS225AMP$ $180\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\
FS6: $PHS225AMP$ $NO\_signal$ & & lost signal & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:bubba2}, we can create a derived component $BUBBAOSC$ which has the following failure modes:
$$
fm (BUBBAOSC) = \{ LO_{fosc}, HI_{osc}, NO\_signal .\}
$$
%We could trace the DAGs here and ensure that both analysis strategies worked ok.....
$$ CC(BUBBAOSC) = 6.(2-1) = 6 $$
We can now add the comparison complexities for all levels of the analysis represented in figure~\ref{fig:poss2finalbubba}.
We have at the lowest level two $PHS45$ {\dcs} giving a CC of 8 and $INVAMP$ with a CC of 10, at the next level four $BUFF45$ {\dcs} giving $(4-1).7=21$,
and penultimately $PHS135BUFFERED$ with 6 and $PHS225AMP$ with 7. The final top stage of the hierarchy, $BUBBAOSC$ has a CC of 6.
Our total comparison complexity is $58$, this contrasts with $468$ for traditional `flat' FMEA,
and $250$ for our first stage functional groups analysis.
This has meant a drastic reduction in the number of failure-modes to check against components.
It has also given us five {\dcs}, building blocks, which may be re-used for similar circuitry
to analyse in the future.
\subsection{Comparing both approaches}
In general with large functional groups the comparison complexity
is higher, by an order of $O(N^2)$.
Smaller functional groups mean less by-hand checks are required.
It also means a more finely grained model. This means that
there are more {\dcs} and this increases the possibility of re-use.
The more we can modularise, the more we decimate the $O(N^2)$ effect
of complexity comparison.
\section{Sigma Delta Analogue to Digital Converter.} %($\Sigma \Delta ADC$)}
The following example is used to demonstrate FMMD analysis of a mixed analogue and digital circuit (see figure~\ref{fig:sigmadelta}).
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/circuit4004.png}
% circuit4004.png: 562x389 pixel, 72dpi, 19.83x13.72 cm, bb=0 0 562 389
\caption{Sigma Delta Analogue to Digital Converter}
\label{fig:sigmadelta}
\end{figure}
\nocite{f77}
\nocite{sccs}
\nocite{electronicssysapproach}
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png}
% sigma_delta_block.png: 828x367 pixel, 72dpi, 29.21x12.95 cm, bb=0 0 828 367
\caption{Sigma Delta ADC signal path}
\label{fig:sigmadeltablock}
\end{figure}
\paragraph{How the circuit works.}
The diagram in~\ref{fig:sigmadeltablock} shows the signal path used
by this configuration for a \sd.
%
It works by placing the analogue voltage to be read into
a mixed analogue and digital feedback circuit.
%
A summing junction and integrator is used to compare the negative feedback
signal with the input.
%
The output of the integrator is digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
which acts as a comparator, and fed to the D type flip flop.
%
The output of the flip flop forms a bit pattern representing the value
of the input voltage.
%
The output of the flip flop, is now level converted to an analogue signal
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
and fed into the summing integrator completing the negative feedback loop.
\subsection{FMMD analysis of \sd }
The partslist for the \sd :
$$\{ IC1, IC2, IC3, IC4, R1, R2, R3, R4, C1 \} $$.
IC1,2 and 3 are all Op-amps and we have failure modes from section~\ref{sec:opampfm}.
$$ fm(OPAMP) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} $$
We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], the CD4013B~\cite{cd4013Bds},
and obtain its failure modes, which we can express using the $fm$ function:
$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
The resistors and capacitor failure modes we take from EN298~\cite{en298}[An.A]
$$ fm ( R ) = \{OPEN, SHORT\} $$
$$ fm ( C ) = \{OPEN, SHORT\} $$
\subsection{Identifying initial {\fgs}}
\subsubsection{Summing Junction}
We now need to choose {\fgs}. The signal path is circular, but we can start
with the input voltage, which is applied via $R2$, we term this voltage $V_{in}$.
%
The feedback voltage for the ADC is supplied via $R1$, we term this voltage as $V_{fb}$.
%The input voltage is supplied via $R2$ and we term this voltage as $V_{in}$.
$R2$ and $R1$ form a summing junction to IC1: they thus work to fulfil this specific function.
This can be our first {\fg} and we analyse it in table~\ref{tbl:suml=j}.
%For the symptoms, we have to think in terms of the effect
%on its performance as a summing junction and not be
%distracted by the integrator formed by $C_1$ and $IC1$.
$$G^0_1 = \{R1, R2 \}$$
\begin{table}[h+]
\caption{R1,R2 Summing Junction: Failure Mode Effects Analysis} % title of Table
\label{tbl:sumj}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result} & & \textbf{Symptom} \\
& & & & \\
\hline\hline
FS1: $R1$ $OPEN$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\
FS2: $R1$ $SHORT$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\ \hline
FS3: $R2$ $OPEN$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\
FS4: $R2$ $SHORT$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\ \hline
\hline
\end{tabular}
\end{table}
From the analysis in table~\ref{tbl:sumj} we collect symptoms.
We can create the derived component
$SUMJ$.% which has the failure modes from collecting its symptoms.
We now state:
$$ fm(SUMJ) = \{ V_{in} DOM, V_{fb} DOM \} .$$
\subsubsection{Buffered Integrator}
Following the signal path, the next functional group is the integrator.
%
This integrator is formed by placing $C1$ in the negative feedback loop of $IC2$\cite{aoe}[p.222].
The output of the integrator is fed into IC2, which acts as a buffer,
%performing the function of
isolating the integrator from any load on its output.
These three components work together to form a buffered integrator,
and nicely form a {\fg}.
$$G^0_2 = \{IC1, C1, IC2\}.$$
The buffered integrator is analysed in table~\ref{tbl:intg}.
\begin{table}[h+]
\caption{IC1,C1,IC2 Buffered Integrator: Failure Mode Effects Analysis} % title of Table
\label{tbl:intg}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
& & & & \\
\hline \hline
FS1: $IC1$ $HIGH$ & & output perm. high & & HIGH \\
FS2: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline
FS3: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\
FS4: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ \hline
FS3: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\
FS4: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline
\hline
FS1: $IC2$ $HIGH$ & & output perm. high & & HIGH \\
FS2: $IC2$ $LOW$ & & output perm. low & & LOW \\ \hline
FS3: $IC2$ $NOOP$ & & no current drive & & LOW \\
FS4: $IC2$ $LOW\_SLEW$ & & delayed signal & & LOW\_SLEW \\ \hline
\hline
\end{tabular}
\end{table}
From the analysis in table~\ref{tbl:intg}, we can now create a derived component
$BFINT$ which has the failure modes from collecting symptoms from the analysis in table~\ref{tbl:intg}.
We can state
$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$
\subsubsection{Digital level to analogue level conversion ($DL2AL$).}
Digital level to analogue level conversion is performed by IC3 in conjunction with a potential divider formed by R3,R4.
The potential divider provides a mid rail reference voltage
to the inverting input of IC3.
\paragraph{Potential divider Formed by R3,R4.}
We re-use the analysis from table~\ref{tbl:pdfmea}, and used the derived component $PD$
to represent the potential divider formed by R3 and R4. Because PD is a derived component, we can denote this
by super-scripting it with its abstraction level of 1, thus $PD^1$.
$$
fm(PD^1) = \{ HIGH, LOW \}.
$$
IC3 is an op-amp and has the failure modes
$$fm(IC3) = \{\{ HIGH, LOW, NOOP, LOW\_SLEW \} . $$
The digital signal is supplied to the non-inverting input.
The output is a voltage level in the analogue domain $-V$ or $+V$.
We now form a {\fg} from $PD^1$ and $IC3$.
$$ G^1_0 = \{ PD^1, IC3 \} $$
We now analyse the {\fg} $G^1$ in table~\ref{tbl:DS2AS}.
%$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$
\begin{table}[h+]
\caption{$PD^1, IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
& & & & \\
\hline \hline
FS1: $PD^1$ $HIGH$ & & output perm. low & & LOW \\
FS2: $PD^1$ $LOW$ & & output perm. low & & HIGH \\ \hline
\hline
FS3: $IC3$ $HIGH$ & & output perm. high & & HIGH \\
FS4: $IC3$ $LOW$ & & output perm. low & & LOW \\ \hline
FS5: $IC3$ $NOOP$ & & no current drive & & LOW \\
FS6: $IC3$ $LOW\_SLEW$ & & delayed signal & & LOW\_SLEW \\ \hline
\hline
\end{tabular}
\end{table}
We collect the symptoms of failure $\{ LOW, HIGH, LOW\_SLEW \}$.
We can now derive a new component to represent the level conversion and call it $DL2AL$.
$$ DL2AL^2 = D(G^1_0) $$
$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$
% \subsubsection{digital clocked memory (flip-flop).}
%
% This is a single component as a {\fg}, and we can state
% $$ fm (DCM) = \{ HIGH, LOW, NOOP \} $$
\subsection{First {\fgs} analysed}
We have analysed the initial {\fgs} and can now take stock of the situation
and see what is now required. Figure~\ref{fig:sigdel1} shows how far the
hierarchy has been built.
\begin{figure}[h+]
\centering
\includegraphics[width=400pt]{./CH5_Examples/sigdel1.png}
% sigdel1.png: 766x618 pixel, 72dpi, 27.02x21.80 cm, bb=0 0 766 618
\caption{First stage of FMMD analysis: Sigma delta Converter}
\label{fig:sigdel1}
\end{figure}
IC4 is as yet unused, the signal path connects IC4 and DL2AL. These seem natural candidates
for the next {\fg}.
BFINT and SUMJ are adjacent in the signal path and these are chosen as a {\fg} as well.
\clearpage
\subsubsection{{\fg} $BFINT^1$ and $SUMJ^1$}
We now form a {\fg} with the two derived components $BFINT^1$ and $SUMJ^1$.
This forms a buffered integrating summing junction which we analyse in table~\ref{tbl:BISJ}.
$$ G^1_0 = \{ BFINT^1, SUMJ^1 \} $$
%$$ fm (BFINT) = \{ HIGH, LOW, NO\_INTEGRATION , LOW\_SLEW \} $$
%$$ fm(SUMJ) = \{ V_{in} DOM, V_{fb} DOM \} .$$
\begin{table}[h+]
\caption{ $BFINT^1, SUMJ^1$ buffered integrating summing junction: Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
& & & & \\
\hline \hline
FS1: $SUMJ^1$ $V_{in} DOM$ & & output integral of $V_{in}$ & & $OUTPUT STUCK$ \\
FS2: $SUMJ^1$ $V_{fb} DOM$ & & output integral of $V_{fb}$ & & $OUTPUT STUCK$ \\ \hline
%\hline
FS3: $BFINT^1$ $HIGH$ & & output perm. high & & $OUTPUT STUCK$ \\
FS4: $BFINT^1$ $LOW$ & & output perm. low & & $OUTPUT STUCK$ \\ \hline
FS5: $BFINT^1$ $ NO\_INTEGRATION$ & & no current drive & & $OUTPUT STUCK$ \\
FS6: $BFINT^1$ $LOW\_SLEW$ & & delayed signal & & $REDUCED\_INTEGRATION$ \\ \hline
\hline
\end{tabular}
\end{table}
We now collect symptoms $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$, and create a {\dc}
called $BISJ^2$.
\subsubsection{{\fg} $IC4$ and $DL2AL$}
%$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$
%$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
The functional group formed by $IC4$ and $DL2AL$ takes the flip flop clocked and buffered
value, and outputs it at analogue voltage levels for the summing junction.
$ G^2_1 = \{ IC4^0, DL2AL^2 \} $
We analyse the buffered flip flop circuitry in table~\ref{tbl:FFB}.
\begin{table}[h+]
\caption{ $IC4^0,DL2AL^2$ flip flop buffered: Failure Mode Effects Analysis} % title of Table
\label{tbl:FFB}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
& & & & \\
\hline \hline
FS1: $IC4^0$ $HIGH$ & & output stuck high & & $OUTPUT STUCK$ \\
FS2: $IC4^0$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\
FS3: $IC4^0$ $NOOP$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline
%\hline
FS4: $DL2AL^2$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\
FS5: $DL2AL^2$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ \hline
FS6: $DL2AL^2$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\
\hline
\end{tabular}
\end{table}
We now collect symptoms $\{OUTPUT STUCK, LOW\_SLEW\}$ and create a {\dc} at the third level of symptom abstraction
called $FFB^3$.
\subsection{Final, top level {\fg} for sigma delta Converter}
We now have two {\dcs}, $FFB^3$ and $BISJ^2$: we form a final functional group with these:
$$ G^3_0 = \{ FFB^3, BISJ^2 \} .$$
We analyse the buffered {\sd} circuit in table~\ref{tbl:FFB}.
%
% FFB^3 $\{OUTPUT STUCK, LOW\_SLEW\}$
% BISJ^2 $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$
%
\begin{table}[h+]
\caption{ $FFB^3, BISJ^2$ \sd : Failure Mode Effects Analysis} % title of Table
\label{tbl:sd}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
& & & & \\
\hline \hline
FS1: $FFB^3$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\
FS2: $FFB^3$ $LOW\_SLEW$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\
% FS3: $IC4^0$ $NOOP$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline
%\hline
FS3: $BISJ^2$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\
FS4: $BISJ^2$ $REDUCED\_INTEGRATION$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\ \hline
\hline
\end{tabular}
\end{table}
%\clearpage
We now collect the symptoms for the \sd $ \;
\{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$.
We can now create a {\dc} to represent the analogue to digital converter, $SADC^4$.
$$fm(SADC^4) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$
We now show the final hierarchy in figure~\ref{fig:sdadc}.
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/sdadc.png}
% sdadc.png: 886x1134 pixel, 72dpi, 31.26x40.01 cm, bb=0 0 886 1134
\caption{FMMD Analysis hierarchy for the {\sd}}
\label{fig:sdadc}
\end{figure}
\clearpage
% ]
% into
%
% A summing integrator
% adds the voltage input to the feedback signal.
% The digital circuitry tries to
% apply a voltage to the integrator that will
% produce a zero output... doh this is difficult to describe.
% %
% The input voltage is summed with the feedback from the circuit
% and is fed into a comparator (IC2) that will output a plus or minus.
% This is fed into the input (D) of a DQ flip flop.
% This digitally buffers the output from the comparator.
% The output from the from the DQ flkip flop is a digital representation
% of the input voltage.
% The output from the DQ is sent to the digital comparator formed by R3,R4
% and IC3.
% The output from this is sent to the summing integrator as the signal summed with the input.
% The resistors R1, R2 form a summing junction
% to the negative input of IC1.
% Using the earlier definition for resistor failure modes,
% $fm(R)= \{OPEN, SHORT\}$, we analyse the summing junction
% in table~\ref{tbl:sumjunct} below.
%
% \begin{table}[h+]
% \caption{Summing Junction: Failure Mode Effects Analysis: Single Faults} % title of Table
% \label{tbl:sumjunct}
%
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Summing} & & \textbf{Symptom} \\
% & & \textbf{Junction} & & \\
% \hline
% FS1: R1 SHORT & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
% FS2: R1 OPEN & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS3: R2 SHORT & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS4: R2 OPEN & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
%
% \hline
%
% \end{tabular}
% \end{table}
% % PHS45
%
% This summing junction fails with two symptoms. We create a {\dc} called $SUMJUNCT$ and we can state,
% $$fm(SUMJUNCT) = \{ R1\_IN\_DOM, R2\_IN\_DOM \} $$.
%The D type flip flop
%\subsection{FMMD Process applied to $\Sigma \Delta $ADC}.
%T%he block diagram in figure~\ref{fig
\clearpage
\section{Pt100 Analysis: Double failures and MTTF statistics}
\label{sec:Pt100}
{
This section
% shows a practical example of
% one `symptom~abstraction' stage in the FMMD process.
% We take a functional group of base components,
% and using their failure modes, analyse the circuit
% to find failure symptoms.
% These failure symptoms are used to define
% a derived component.
%
demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows
how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.
For this example we look at an industry standard temperature measurement circuit,
the Pt100.
The circuit is described and then analysed using the FMMD methodology.
%A derived component, representing this circuit is then presented.
The Pt100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
This section looks at the most common configuration, the
four wire circuit, and analyses it from an FMEA perspective twice.
Once considering single faults (cardinality constrained powerset of 1) and then again, considering the
possibility of double faults (cardinality constrained powerset of 2).
\ifthenelse {\boolean{pld}}
{
The section is performed using Propositional Logic
diagrams to assist the reasoning process.
}
{
}
This chapter describes taking
the failure modes of the components, analysing the circuit using FMEA
and producing a failure mode model for the circuit as a whole.
Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
from an FMEA perspective as a component itself, with a set of known failure modes.
}
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 four wire circuit}
\label{fig:Pt100}
\end{figure}
\subsection{General Description of Pt100 four wire circuit}
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
from sections of this circuit forming potential dividers, we can determine the
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges}
\label{fig:Pt100vrange}
\end{figure}
The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
causes a slight voltage
drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the $Pt100$, we can calculate its
resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the $Pt100$ four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types
and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}.
Thus for each component, an analysis is made for each of its failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\fmodegloss
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\label{fmea}
The PTt00 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors %according to the European Standard EN298:2003~\cite{en298}[App.A]
, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram we can consider this a fault.
Should the reading be above its expected range this is a `High Fault'
and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section \ref{ptbounds}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.
%\paragraph{Consideration of Resistor Tolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also
%be of this accuracy.
%
%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures.
\paragraph{Range and $Pt100$ Calculations}
\label{Pt100temp}
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm Pt100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
Pt100 FMEA analysis in section \ref{fmea}.
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
\begin{table}[ht]
\caption{Pt100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\paragraph{Consideration of Resistor Tolerance.}
%
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by to having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one we measure current over) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified}
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use ohms law again to calculate
the resistance of $R_3$.
%
As ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{easp}.
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}
%ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subparagraph{ TC 1 : Voltages $R_1$ SHORT }
With Pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
With Pt100 at 0\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 4 : Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
\paragraph{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\paragraph{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in Table \ref{ptfmea}. The PLD diagram, can now be used to collect the
symptoms. In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
A spider can be drawn on the PLD diagram to this effect.
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds we can be confident that none of the
resistors in this circuit has failed.
\ifthenelse{\boolean{pld}}
{
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc_sp}
\end{figure}
}
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit.This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:Pt100_singlef}
\end{figure}
}
%From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode.
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage
\subsection{Mean Time to Failure}
Now that we have a model for the failure mode behaviour of the Pt100 circuit
we can look at the statistics associated with each of the failure modes.
The DOD electronic reliability of components
document MIL-HDBK-217F\cite{mil1991} gives formulae for calculating
the
%$\frac{failures}{{10}^6}$
${failures}/{{10}^6}$ % looks better
in hours for a wide range of generic components
\footnote{These figures are based on components from the 1980's and MIL-HDBK-217F
can give conservative reliability figures when applied to
modern components}.
Using the MIL-HDBK-217F\cite{mil1991} specifications for resistor and thermistor
failure statistics we calculate the reliability of this circuit.
\paragraph{Resistor FIT Calculations}
The formula for given in MIL-HDBK-217F\cite{mil1991}[9.2] for a generic fixed film non-power resistor
is reproduced in equation \ref{resistorfit}. The meanings
and values assigned to its co-efficients are described in table \ref{tab:resistor}.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\fmodegloss
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
\label{resistorfit}
\end{equation}
\begin{table}[ht]
\caption{Fixed film resistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.00092 & stress/temp base failure rate $60^o$ C \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:resistor}
\end{table}
Applying equation \ref{resistorfit} with the parameters from table \ref{tab:resistor}
give the following failures in ${10}^6$ hours:
\begin{equation}
0.00092 \times 1.0 \times 15.0 \times 1.0 = 0.0138 \;{failures}/{{10}^{6} Hours}
\label{eqn:resistor}
\end{equation}
While MIL-HDBK-217F gives MTTF for a wide range of common components,
it does not specify how the components will fail (in this case OPEN or SHORT). {Some standards, notably EN298 only consider resistors failing in OPEN mode}.
%FMD-97 gives 27\% OPEN and 3\% SHORTED, for resistors under certain electrical and environmental stresses.
% FMD-91 gives parameter change as a third failure mode, luvvverly 08FEB2011
This example
compromises and uses a 90:10 ratio, for resistor failure.
Thus for this example resistors are expected to fail OPEN in 90\% of cases and SHORTED
in the other 10\%.
A standard fixed film resistor, for use in a benign environment, non military spec at
temperatures up to {60\oc} is given a probability of 13.8 failures per billion ($10^9$)
hours of operation (see equation \ref{eqn:resistor}).
This figure is referred to as a FIT\footnote{FIT values are measured as the number of
failures per Billion (${10}^9$) hours of operation, (roughly 114,000 years). The smaller the
FIT number the more reliable the fault~mode} Failure in time.
The formula given for a thermistor in MIL-HDBK-217F\cite{mil1991}[9.8] is reproduced in
equation \ref{thermistorfit}. The variable meanings and values are described in table \ref{tab:thermistor}.
\begin{equation}
% fixed comp resistor{\lambda}_p = {\lambda}_{b}{\pi}_{R}{\pi}_Q{\pi}_E
resistor{\lambda}_p = {\lambda}_{b}{\pi}_Q{\pi}_E
\label{thermistorfit}
\end{equation}
\begin{table}[ht]
\caption{Bead type Thermistor Failure in time assessment} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|l||}
\hline \hline
\em{Parameter} & \em{Value} & \em{Comments} \\
& & \\ \hline \hline
${\lambda}_{b}$ & 0.021 & stress/temp base failure rate bead thermistor \\ \hline
%${\pi}_T$ & 4.2 & max temp of $60^o$ C\\ \hline
%${\pi}_R$ & 1.0 & Resistance range $< 0.1M\Omega$\\ \hline
${\pi}_Q$ & 15.0 & Non-Mil spec component\\ \hline
${\pi}_E$ & 1.0 & benign ground environment\\ \hline
\hline \hline
\end{tabular}
\label{tab:thermistor}
\end{table}
\begin{equation}
0.021 \times 1.0 \times 15.0 \times 1.0 = 0.315 \; {failures}/{{10}^{6} Hours}
\label{eqn:thermistor}
\end{equation}
Thus thermistor, bead type, `non~military~spec' is given a FIT of 315.0
Using the RIAC finding we can draw up the following table (table \ref{tab:stat_single}),
showing the FIT values for all faults considered.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period.}}
\begin{table}[h+]
\caption{Pt100 FMEA Single // Fault Statistics} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{MTTF} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{per $10^9$ hours of operation} \\
% R & wire & res + & res - & description
\hline
\hline
TC:1 $R_1$ SHORT & High Fault & - & 1.38 \\ \hline
TC:2 $R_1$ OPEN & Low Fault & Low Fault & 12.42\\ \hline
\hline
TC:3 $R_3$ SHORT & Low Fault & High Fault & 31.5 \\ \hline
TC:4 $R_3$ OPEN & High Fault & Low Fault & 283.5 \\ \hline
\hline
TC:5 $R_2$ SHORT & - & Low Fault & 1.38 \\
TC:6 $R_2$ OPEN & High Fault & High Fault & 12.42 \\ \hline
\hline
\end{tabular}
\label{tab:stat_single}
\end{table}
The FIT for the circuit as a whole is the sum of MTTF values for all the
test cases. The Pt100 circuit here has a FIT of 342.6. This is a MTTF of
about 360 years per circuit.
A probabilistic tree can now be drawn, with a FIT value for the Pt100
circuit and FIT values for all the component fault modes from which it was calculated.
We can see from this that the most likely fault is the thermistor going OPEN.
This circuit is around 10 times more likely to fail in this way than in any other.
Were we to need a more reliable temperature sensor, this would probably
be the fault~mode we would scrutinise first.
\begin{figure}[h+]
\centering
\includegraphics[width=400pt,bb=0 0 856 327,keepaspectratio=true]{./CH5_Examples/stat_single.png}
% stat_single.jpg: 856x327 pixel, 72dpi, 30.20x11.54 cm, bb=0 0 856 327
\caption{Probablistic Fault Tree : Pt100 Single Faults}
\label{fig:stat_single}
\end{figure}
The Pt100 analysis presents a simple result for single faults.
The next analysis phase looks at how the circuit will behave under double simultaneous failure
conditions.
%\clearpage
\section{ Pt100 Double Simultaneous Fault Analysis}
In this section we examine the failure mode behaviour for all single
faults and double simultaneous faults.
This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
the failure modes in the functional group.
All the single faults have already been proved in the last section.
For the next set of test cases, let us again hypothesise
the failure modes, and then examine each one in detail with
potential divider equation proofs.
Table \ref{tab:ptfmea2} lists all the combinations of double
faults and then hypothesises how the functional~group will react
under those conditions.
\begin{table}[ht]
\caption{Pt100 FMEA Double Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|c|l|l||}
\hline \hline
\textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline
TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline
TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline
\hline
TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline
\hline
TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline
TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline
TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline
\hline
\end{tabular}
\label{tab:ptfmea2}
\end{table}
\subsection{Verifying complete coverage for a cardinality constrained powerset of 2}
\fmodegloss
It is important to check that we have covered all possible double fault combinations.
We can use the equation \ref{eqn:correctedccps2}
\ifthenelse {\boolean{paper}}
{
from the definitions paper
\ref{pap:compdef}
,
reproduced below to verify this.
\indent{
where:
\begin{itemize}
\item The set $SU$ represents the components in the functional~group, where all components are guaranteed to have unitary state failure modes.
\item The indexed set $C_j$ represents all components in set $SU$.
\item The function $FM$ takes a component as an argument and returns its set of failure modes.
\item $cc$ is the cardinality constraint, here 2 as we are interested in double and single faults.
\end{itemize}
}
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{k}_{1..cc} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
\label{eqn:correctedccps2}
\end{equation}
}
{
\begin{equation}
|{\mathcal{P}_{cc}SU}| = {\sum^{cc}_{k=1} \frac{|{SU}|!}{k!(|{SU}| - k)!}}
- {{\sum^{j}_{j \in J} \frac{|FM({C_j})|!}{2!(|FM({C_j})| - 2)!}} }
%\label{eqn:correctedccps2}
\end{equation}
}
$|FM(C_j)|$ will always be 2 here, as all the components are resistors and have two failure modes.
%
% Factorial of zero is one ! You can only arrange an empty set one way !
Populating this equation with $|SU| = 6$ and $|FM(C_j)|$ = 2.
%is always 2 for this circuit, as all the components are resistors and have two failure modes.
\begin{equation}
|{\mathcal{P}_{2}SU}| = {\sum^{k}_{1..2} \frac{6!}{k!(6 - k)!}}
- {{\sum^{j}_{1..3} \frac{2!}{p!(2 - p)!}} }
%\label{eqn:correctedccps2}
\end{equation}
$|{\mathcal{P}_{2}SU}|$ is the number of valid combinations of faults to check
under the conditions of unitary state failure modes for the components (a resistor cannot fail by being shorted and open at the same time).
Expanding the sumations
$$ NoOfTestCasesToCheck = \frac{6!}{1!(6-1)!} + \frac{6!}{2!(6-2)!} - \Big( \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} + \frac{2!}{2!(2 - 2)!} \Big) $$
$$ NoOfTestCasesToCheck = 6 + 15 - ( 1 + 1 + 1 ) = 18 $$
As the test case are all different and are of the correct cardinalities (6 single faults and (15-3) double)
we can be confident that we have looked at all `double combinations' of the possible faults
in the Pt100 circuit. The next task is to investigate
these test cases in more detail to prove the failure mode hypothesis set out in table \ref{tab:ptfmea2}.
\paragraph{Proof of Double Faults Hypothesis }
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to low values
but for the purpose of a safety critical analysis
all we can say is the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable
fault that must be handled.
\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT }
This cuts the supply from Vcc. Both sense lines will be at zero.
Thus both values will be out of range.
\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN }
Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.
\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT }
This shorts ground to
both of the sense lines.
Both values will be out of range.
\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN }
This shorts both sense lines to Vcc.
Both values will be out of range.
\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN }
This shorts the sense+ to Vcc and causes sense- to float.
The sense+ value will be out of range.
\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN }
This shorts the sense- to Ground.
The sense- value will be out of range.
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
%\clearpage
\ifthenelse{\boolean{pld}}
{
\subsection{Double Faults Represented on a PLD Diagram}
We can show the test cases on a diagram with the double faults residing on regions
corresponding to overlapping contours see figure \ref{fig:plddouble}.
Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddouble}
\end{figure}
We use equation \ref{eqn:correctedccps2} to verify complete coverage for
a given cardinality constraint is not visually obvious.
%
From the diagram it is easy to verify
the number of failure modes considered for each test case, but
not that all for a given cardinality constraint have been included.
}
{
}
\paragraph{Symptom Extraction}
We can now examine the results of the test case analysis and apply symptom abstraction.
In all the test case results we have at least one out of range value, except for
$TC\_7$
which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$,
into the symptom $OUT\_OF\_RANGE$.
As a symptom $TC\_7$ could be described as $FLOATING$.
\ifthenelse{\boolean{pld}}
{
We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddoublesymptom}
\end{figure}
} %% \ifthenelse {\boolean{pld}}
{
}
%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes,
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}.
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
\label{fig:Pt100_doublef}
\end{figure}
} % \ifthenelse {\boolean{pld}}
{
}
\subsection{Statistics}
%%
%% Need to talk abou the `detection time'
%% or `Safety Relevant Validation Time' ref can book
%% EN61508 gives detection calculations to reduce
%% statistical impacts of failures.
%%
If we consider the failure modes to be statistically independent we can calculate
the FIT values for all the failures. The failure mode of concern, the undetectable {\textbf{FLOATING}} condition
requires that resistors $R_1$ and $R_2$ fail. We can multiply the MTTF
together and find an MTTF for both failing. The FIT value of 12.42 corresponds to
$12.42 \times {10}^{-9}$ failures per hour. Squaring this gives $ 154.3 \times {10}^{-18} $.
This is an astronomically small MTTF, and so small that it would
probably fall below a threshold to sensibly consider.
However, it is very interesting from a failure analysis perspective,
because here we have found a fault that we cannot detect at this
level. This means that should we wish to cope with
this fault, we need to devise a way of detecting this
condition in higher levels of the system.
\glossary{name={FIT}, description={Failure in Time (FIT). The number of times a particular failure is expected to occur in a $10^{9}$ hour time period. Associated with continuous demand systems under EN61508~\cite{en61508}}}
\section{Applying FMMD to Software}
\label{sec:elecsw}
FMMD can be applied to software, and thus we can build complete failure models
of typical modern safety critical systems.
With modular FMEA i.e. FMMD %(FMMD)
we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure for a functional group.
A programmatic function has similarities with a {\fg} as defined by the FMMD process.
%
An FMMD {\fg} is placed into a hierarchy.
A Software function is placed into a hierarchy, that of its call-tree.
A software function typically calls other functions and uses data sources via hardware interaction, which could be viewed as its `components'.
It has outputs, i.e. it can perform actions
on data or hardware
which will be used by functions that may call it.
We can map a software function to a {\fg} in FMMD. Its failure modes
are the failure modes of the software components (other functions it calls)
and the hardware its reads values from.
Its outputs are the data it changes, or the hardware actions it performs.
%%
%% Talk about how software specification will often say how hardware
%% will react and how to interpret readings---but they do not
%% always cover the failure modes of the hardware being interfaced too.
When we have analysed a software function---using failure conditions
of its inputs as failure modes---we can
determine its symptoms of failure (i.e. how calling functions will see its failure mode behaviour).
We can thus apply the $\derivec$ process to software functions, by viewing them in terms of their failure
mode behaviour. To simplify things as well, software already fits into a hierarchy.
For Electronics and Mechanical systems, although we may be guided by the original designers
concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs}
and the subsequent hierarchy. With software already written, that hierarchy is fixed.
% map the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
%
%However, we need to map a the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
% failure modes of a function in order to
%map FMMD to software.
% map the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
%
%However, we need to map a the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
% failure modes of a function in order to
%map FMMD to software.
\subsection{Software, a natural hierarchy}
Software written for safety critical systems is usually constrained to
be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
Because of this we can assume a direct call tree. Functions call functions
from the top down and eventually call the lowest level library or IO
functions that interact with hardware/electronics.
What is potentially difficult with a software function, is deciding what
are failure modes, and later what a failure symptoms.
With electronic components, we can use literature to point us to suitable sets of
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}.%~\cite{en61508}~\cite{en298}.
With software, only some library functions are well known and rigorously documented
enough to have the equivalent of known failure modes.
Most software is `bespoke'. We need a different strategy to
describe the failure mode behaviour of software functions.
We can use definitions from contract programming to assist here.
\subsection{Contract programming description}
Contract programming is a discipline~\cite{dbcbe} for building software functions in a controlled
and traceable way. Each function is subject to pre-conditions (constraints on its inputs),
post-conditions (constraints on its outputs) and function wide invariants (rules).
\paragraph{Mapping contract `pre-condition' violations to failure modes}
A precondition, or requirement for a contract software function
defines the correct ranges of input conditions for the function
to operate successfully.
For a software function, a violation of a pre-condition is
in effect a failure mode of `one of its components'.
\paragraph{Mapping contract `post-condition' violations to symptoms}
A post condition is a definition of correct behaviour by a function.
A violated post condition is a symptom of failure of a function.
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function.
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes}
Invariants in contract programming may apply to inputs to the function (where they can be considered {\fms} in FMMD terminology),
and to outputs (where they can be considered {failure symptoms} in FMMD terminology).
\subsection{Combined Hardware/Software FMMD}
For the purpose of example, we chose a simple common safety critical industrial circuit
that is nearly always used in conjunction with a programmatic element.
A common method for delivering a quantitative value in analogue electronics is
to supply a current signal to represent the value to be sent~\cite{aoe}[p.934].
Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale,
and this is referred to as {\ft} signalling.
%
{\ft} has a an electrical advantage as well, because the current in a loop is constant~\cite{aoe}[p.20]
resistance in the wires between the source and the receiving end is not an issue
that can alter the accuracy of the signal.
%
This circuit has many advantages for safety. If the signal becomes disconnected
it reads an out of range $0mA$ at the receiving end. This is outside the {\ft} range,
and is therefore easy to detect as an error rather than an incorrect value.
%
Should the driving electronics go wrong at the source end, it will usually
supply far too little or far too much current, making an error condition easy to detect.
%
At the receiving end, we only require one simple component to convert the
current signal into a voltage that we can read with an ADC: the humble resistor!
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
\begin{figure}[h]
\centering
\includegraphics[width=230pt]{./CH5_Examples/ftcontext.png}
% ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385
\caption{Context Diagram for {\ft} loop}
\label{fig:ftcontext}
\end{figure}
The diagram in figure~\ref{fig:ftcontext}, shows some equipment which is sending a {\ft}
signal to a micro-controller system.
The signal is locally driven over a load resistor, and then read into the micro-controller via
an ADC and its multiplexer.
With the voltage detected at the ADC the multiplexer can read the intended quantitative
value from the external equipment.
\subsection{Simple Software Example}
Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$)
representing the current detected with an additional error indication flag .
%
Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read a voltage
from an ADC into the software.
Let us define any value outside the 4mA to 20mA range as an error condition.
%
As a voltage, we use ohms law~\cite{aoe} to determine the voltage ranges: $V=IR$, $0.004A * \ohms{220} = 0.88V$
and $0.020A * \ohms{220} = 4.4V$.
%
Our acceptable voltage range is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
This voltage range forms our input requirement.
%
We can now examine a software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current.
%
For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used.
We initially assume a function \textbf{read\_ADC} which returns a floating point %double precision
value which represents the voltage read (see code sample in figure~\ref{fig:code_read_4_20_input}).
%%{\vbox{
\begin{figure}[h+]
\footnotesize
\begin{verbatim}
/***********************************************/
/* read_4_20_input() */
/***********************************************/
/* Software function to read 4mA to 20mA input */
/* returns a value from 0-999 proportional */
/* to the current input. */
/***********************************************/
int read_4_20_input ( int * value ) {
double input_volts;
int error_flag;
/* require: input from ADC to be
between 0.88 and 4.4 volts */
input_volts = read_ADC(INPUT_4_20_mA);
if ( input_volts < 0.88 || input_volts > 4.4 ) {
error_flag = 1; /* Error flag set to TRUE */
}
else {
*value = (input_volts - 0.88) * ( 4.4 - 0.88 ) * 999.0;
error_flag = 0; /* indicate current input in range */
}
/* ensure: value is proportional (0-999) to the
4 to 20mA input */
return error_flag;
}
\end{verbatim}
%}
%}\clearpage
\caption{Software Function: \textbf{read\_4\_20\_input}}
\label{fig:code_read_4_20_input}
%\label{fig:420i}
\end{figure}
\clearpage
We now look at the function called by \textbf{read\_4\_20\_input}, \textbf{read\_ADC}, which returns a
voltage for a given ADC channel.
%
This function
deals directly with the hardware in the micro-controller that we are running the software on.
%
Its job is to select the correct channel (ADC multiplexer) and then to initiate a
conversion by setting an ADC 'go' bit (see code sample in figure~\ref{fig:code_read_ADC}).
%
It takes the raw ADC reading and converts it into a
floating point\footnote{the type, `double' or `double precision', is a standard C language floating point type~\cite{DBLP:books/ph/KernighanR88}.}
voltage value.
%{\vbox{
\begin{figure}[h+]
\footnotesize
\begin{verbatim}
/***********************************************/
/* read_ADC() */
/***********************************************/
/* Software function to read voltage from a */
/* specified ADC MUX channel */
/* Assume 10 ADC MUX channels 0..9 */
/* ADC_CHAN_RANGE = 9 */
/* Assume ADC is 12 bit and ADCRANGE = 4096 */
/* returns voltage read as double precision */
/***********************************************/
double read_ADC( int channel ) {
int timeout = 0;
/* require: a) input channel from ADC to be
in valid ADC range
b) voltage ref is 0.1% of 5V */
/* return out of range result */
/* if invalid channel selected */
if ( channnel > ADC_CHAN_RANGE )
return -2.0;
/* set the multiplexer to the desired channel */
ADCMUX = channel;
ADCGO = 1; /* initiate ADC conversion hardware */
/* wait for ADC conversion with timeout */
while ( ADCGO == 1 || timeout < 100 )
timeout++;
if ( timeout < 100 )
dval = (double) ADCOUT * 5.0 / ADCRANGE;
else
dval = -1.0; /* indicate invalid reading */
/* return voltage as a floating point value */
/* ensure: value is voltage input to within 0.1% */
return dval;
}
\end{verbatim}
\caption{Software Function: \textbf{read\_ADC}}
\label{fig:code_read_ADC}
\end{figure}
%}
%}
\clearpage
We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt]{./CH5_Examples/ct1.png}
% ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224
\caption{Call tree for software example}
\label{fig:ct1}
\end{figure}
This software is above the hardware in the conceptual call tree---from a programmatic perspective---%in software terms---the
software is reading values from the `lower~level' electronics.
%
FMEA is always a bottom-up process and so we must begin with this hardware.
%
The hardware is simply a load resistor, connected across an ADC input
pin on the micro-controller and ground.
%
We can identify the resistor and the ADC module of the micro-controller as
the base components in this design.
%
We now apply FMMD starting with the hardware.
\subsection{FMMD Process}
\paragraph{Functional Group - Convert mA to Voltage - CMATV}
This functional group contains the load resistor
and the physical Analogue to Digital Converter (ADC).
Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$.
We now determine the {\fms} of all the components in $G_1$.
For the resistor we can use a failure mode set from the literature~\cite{en298}.
Where the function $fm$ returns a set of failure modes for a given component we can state:
$$ fm(R) = \{OPEN,SHORT\}. $$
\vbox{
For the ADC we can determine the following failure modes:
\begin{itemize}
\item STUCKAT --- The ADC outputs a constant value,
\item MUXFAIL --- The ADC cannot select its input channel correctly,
\item LOW --- The ADC output is always LOW, or zero ADC counts,
\item HIGH --- The ADC output is always HIGH, or max ADC counts.
\end{itemize}
}
We can use the function $fm$ to define the {\fms} of an ADC thus:
$$ fm(ADC) = \{ STUCKAT, MUXFAIL,LOW, HIGH \}. $$
With these failure modes, we can analyse our first functional group, see table~\ref{tbl:cmatv}.
{
\tiny
\begin{table}[h+]
\caption{$G_1$: Failure Mode Effects Analysis} % title of Table
\label{tbl:cmatv}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline
\hline
1: $R_{OPEN}$ & resistor open, & $HIGH$ \\
& voltage on pin high & \\ \hline
2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\
& voltage on pin low & \\ \hline \hline
3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\
& fixed value & \\ \hline
4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\
& wrong channel & \\ \hline
5: $ADC_{LOW}$ & output low & $LOW$ \\
6: $ADC_{HIGH}$ & output high & $HIGH$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now collect the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $.
We now create a {\dc} to represent this called $CMATV$.
We can express this using the `$\derivec$' function thus:
$$ CMATV = \; \derivec (G_1) .$$
As its failure modes, are the symptoms of failure from the functional group we can now state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$
\paragraph{Functional Group - Software - Read\_ADC - RADC}
The software function $Read\_ADC$ uses the ADC hardware analysed
as the {\dc} CMATV above.
The code fragment in figure~\ref{fig:code_read_ADC} states pre-conditions, as
{\em/* require: a) input channel from ADC to be
in valid ADC range
b) voltage ref is 0.1\% of 5V */}.
%
From the above contractual programming requirements, we see that
the function must be sent the correct channel number.
%
A violation of this can be considered a {\fm} of the function,
which we can call $ CHAN\_NO $.
%
The reference voltage for the ADC has a 0.1\% accuracy requirement.
%
If the reference value is outside of this, it is also a {\fm}
of this function, which we can call $V\_REF$.
Taken as a component for use in FMEA/FMMD our function has
two failure modes. We can therefore treat it as a generic component, $Read\_ADC$,
by stating:
$$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$
As we have a failure mode model for our function, we can now use it in conjunction with
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$.
We now analyse this hardware/software combined {\fg}.
{
\tiny
\begin{table}[h+]
\caption{$G_2$: Failure Mode Effects Analysis} % title of Table
\label{tbl:radc}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: ${CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\
& read & \\ \hline
2: ${VREF}$ & ADC volt-ref & $VV\_ERR$ \\
& incorrect & \\ \hline \hline
3: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\
& incorrect & \\ \hline
4: $CMATV_{HIGH}$ & ADC may read & $HIGH$ \\
& wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now collect the symptoms of failure for the {\fg} analysed (see table~\ref{tbl:radc})
as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition
for the function.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ },
corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}.
We can now create a {\dc} called $RADC$ thus: $$RADC = \; \derivec(G_2)$$ which has the following
{\fms}:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{Functional Group - Software - voltage to per mil - VTPM }
This function sits on top of the $RADC$ {\dc} determined above.
We look at the pre-conditions for the function $read\_4\_20\_input$ , % which we can call $RI$
to determine its {\fms}.
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
We can map this violation of the pre-condition, to the {\fm} VRNGE; %As this function has one pre-condition
we can state,
$$ fm(read\_4\_20\_input) = \{ VRNGE \} .$$
We can now form a functional group with the {\dc} $RADC$ and the
software component $read\_4\_20\_input$, i.e. $G_3 = \{read\_4\_20\_input, RADC\} $.
{
\tiny
\begin{table}[h+]
\caption{$G_3$: Read\_4\_20: Failure Mode Effects Analysis} % title of Table
\label{tbl:r420i}
\begin{tabular}{|| l | c | l ||} \hline
\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
\textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
1: $RI_{VRGE}$ & voltage & $OUT\_OF\_$ \\
& outside range & $RANGE$ \\ \hline
2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_$ \\
& wrong channel & $RANGE$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
The postcondition for the function $read\_4\_20\_input$, {\em /* ensure: value is proportional (0-999) to the
4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group}
For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable.
The $VAL\_ERR$ will simply mean that the value read is simply wrong.
We can finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus:
$$ R420I = \; \derivec(G_3) .$$
This new {\dc} has the following {\fms}:
$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$$
%
% Using the derived components, CMATV and VTPM we create
% a new functional group. This
% integrates FMEA's from software and eletronics
% into the same failure mode model.
We can now represent the software/hardware FMMD analysis
as a hierarchical diagram, see figure~\ref{fig:hd}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/hd.png}
% hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
\caption{FMMD hierarchy with hardware and software elements}
\label{fig:hd}
\end{figure}
We can represent the hierarchy in figure~\ref{fig:hd} algebraically, using the `$\derivec$' function
using the groups as intermediate stages:
\begin{eqnarray*}
G_1 &=& \{R,ADC\} \\
CMATV &=& \;\derivec (G_1) \\
G_2 &=& \{CMATV, read\_ADC \} \\
RADC &=& \; \derivec (G_2) \\
G_3 &=& \{ RADC, read\_4\_20\_input \} \\
R420I &=& \; \derivec (G_3) \\
\end{eqnarray*}
or, a nested definition,
$$ \derivec \Big( \derivec \big( \derivec(R,ADC), read\_4\_20\_input \big), read\_4\_20\_input \Big). $$
This nested structure means that we have multiple traceable
stages of failure mode reasoning in our analysis. Traditional FMEA would have only one stage
of reasoning for each component failure mode.
%\clearpage
\subsection{Conclusion: Software/Hardware FMMD Model}
The {\dc} representing the {\ft} reader
in software shows that by FMMD, we can integrate
software and electro-mechanical FMMD models.
With this analysis
we have a complete `reasoning~path' linking the failures modes from the
electronics to those in the software.
Each functional group to {\dc} transition represents a
reasoning stage.
%
With traditional FMEA methods the reasoning~distance is large, because
it stretches from the component failure mode to the top---or---system level failure.
For this reason applying traditional FMEA to software stretches
the reasoning distance even further.
We now have a {\dc} for a {\ft} input in software.
Typically, more than one such input could be present in a real-world system.
Not only have we integrated electronics and software in an FMEA, we can also
re-use the analysis for each {\ft} input in the system.
The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed
by another software function to read other known signals
via the MUX (i.e. voltage references). This strategy would
detect ADC\_STUCK\_AT and MUX\_FAIL failure modes.
A software specification for a hardware interface will concentrate on
how to interpret raw readings, or what signals to apply for actuators.
Using FMMD we can determine an accurate failure model for the interface as well.
%
%Detailing this however, is beyond the scope %and page-count
%of this paper.
%Its solved. Hoooo-ray !!!!!!!!!!!!!!!!!!!!!!!!
\vspace{20pt}
%typeset in {\Huge \LaTeX} \today
Reference in New Issue View Git Blame Copy Permalink