robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
36025181b7
Robin_PHD/submission_thesis/CH5_Examples/copy.tex
Robin Clark 36025181b7 Getting Chapter 5 ready...
2012-10-20 16:45:45 +01:00

3209 lines
136 KiB
TeX
Raw Blame History

%\clearpage %\pagenumbering{arabic}
%
% %% NEED TWO MORE EXAMPLES --- 02JUN2012
%
% * ENVIRONMENTAL CASE (perhaps temp on an opto-coupler
%
% * OPERATIONAL STATE (perhaps a self test on an ADC where it is set to output and driven high and low and read)
% to do: 23SEP2012
%
% 90_degrees is an incorrect failure mode in bubba and must be purged
%
% summing junction in sigma delta is not a valid fg, prob have to include
% the op-amp....
%
% very annoying to have to pull out the comparison complexity.
% makes the comparisons between approaches have less meaning.
% have to discuss this.
\label{sec:chap5}
This chapter demonstrates FMMD applied to
a variety of typical embedded system components including analogue/digital and electronics/software hybrids.
%In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.%
%Each example has been chosen to demonstrate
%FMMD applied to
%
The first section
~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs}
(in the context of the safety standards
we are using for our particular project).
%
This is followed by several example FMMD analyses,
the first analysing a common configuration of
the inverting amplifier (see section~\ref{sec:invamp}) using
an op-amp and two resistors, which demonstrates how the re-use of the potential divider from section~\ref{subsec:potdiv}.
The inverting amplifier is analysed again, but this time with different
{\fgs}. The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
%~\ref{sec:chap4}
%can be re-used. %, but with provisos.
%
%The first
%(see section~\ref{sec:diffamp})
Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used
to create a differencing amplifier.
Building on the two approaches section~\ref{sec:invamp}, re-use of the potential divider {\dc}
is discussed in the context of this circuit,
where its re-use is appropriate in the first stage and
not in the second.
%
Section~\ref{sec:fivepolelp} analyses a Sallen-Key based five pole low pass filter.
This demonstrates FMMD being able to re-use the first Sallen-Key analysis, %encountered as a {\dc}
thus saving time and effort for the analyst.
%
Section~\ref{sec:bubba} shows FMMD applied to a circular circuit topology---the `Bubba' oscillator---which uses
four op-amp stages with supporting components.
%
Section~\ref{sec:sigmadelta} shows FMMD analysing the sigma delta analogue to digital converter---again with a circular signal path---but which also operates on both
analogue and digital signals.
%
% Moving Pt100 to metrics
%
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical
%failure mode classification % analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%
Finally section~\ref{sec:elecsw} demonstrates FMMD analysis of a combined electronic and software system.
% \section{Basic Concepts Of FMMD}
%
% The %idea
% driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
% Traditional FMEA takes part failure modes and then determines what effect each of these
% failure modes could have on the system under investigation.
%
% Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes,
% involves what we could term a large `reasoning~distance'; that is to say
% in a complex system, taking a particular failure mode, of a particular {\bc}
% and then trying to predict the outcome in the context of an entire system, is
% a leap~of~faith.
% %
% There will be numerous possibilities of effects and side effects on
% other components in the system; more than is practically possible to rigorously examine.
% To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
% oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
%
% Fortunately most real-world designs take a modular approach. In Electronics
% for instance, commonly used configurations of parts are used to create
% amplifiers, filters, potential dividers etc.
% %It is therefore natural to collect parts to form functional groups.
% It is common design practise in electronics, to use collections of parts in specific configurations
% to form well-defined and well-known building blocks.
% These commonly used configurations of parts, or {\fgs}, will
% also have a specific failure mode behaviour.
% We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
%
% When we have done this we can treat this {\fg} as a component in its own right.
% %
% If we term {\bcs} as the components we start analysis with and components we have determined
% from functional groups as derived components, we can modularise the FMEA process.
% %
% If we start building {\fgs} from derived components we can start to build a modular
% hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
% allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
%
% As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts.
% %and with their failure modes.
% % It is worth defining clearly the term part here.
% % Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
% % ``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''.
% % In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'.
% % Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
% %
% %
% %
% % \paragraph {Definitions: for practical FMMD analysis}
% %
% % \begin{itemize}
% % \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
% % \item {\fm} - failure mode - the ways in which a component can fail
% % \item {\fg} - a collection of components chosen to perform a particular task
% % \item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
% % \item {\dc} - a new component derived from an analysed {\fg}
% % \end{itemize}
%
%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%
% This section might fit in with the literature review.... Chris thinks its not relevant here
% and I agree 20OCT2012
%
%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
% \section{Determining the failure modes of components}
% \label{sec:determine_fms}
% In order to apply any form of FMEA we need to know the ways in which
% the components we are using can fail.
% %
% A good introduction to hardware and software failure modes may be found in~\cite{sccs}[pp.114-124].
% %
% Typically when choosing components for a design, we look at manufacturers' data sheets
% which describe functionality, physical dimensions
% environmental ranges, tolerances and can indicate how a component may fail/misbehave
% under given conditions.
% %
% How base components could fail internally, is not of interest to an FMEA investigation.
% The FMEA investigator needs to know what failure behaviour a component may exhibit. %, or in other words, its modes of failure.
% %
% A large body of literature exists which gives guidance for determining component {\fms}.
% %
% For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined.
% %Some standards prescribe specific failure modes for generic component types.
% In EN298 failure modes for most generic component types are listed, or if not listed,
% determined by considering all pins OPEN and all adjacent pins shorted.
% %a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% %are examined.
% %
% %
% FMD-91 is a reference document released into the public domain by the United States DOD
% and describes `failures' of common electronic components, with percentage statistics for each failure.
% %
% FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation.
% %
% FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
% component {\fms} suitable for use in FMEA.
%
% A third document, MIL-1991~\cite{mil1991} often used alongside FMD-91, provides overall reliability statistics for
% component types, but does not detail specific failure modes.
% %
% Using MIL1991 in conjunction with FMD-91, we can determine statistics for the failure modes
% of component types.
% %
% The FMEDA process from European standard EN61508~\cite{en61508} for instance,
% requires statistics for Meantime to Failure (MTTF) for all {\bc} failure modes.
%
%
% % One is from the US military document FMD-91, where internal failures
% % of components are described (with stats).
% %
% % The other is EN298 where the failure modes for generic component types are prescribed, or
% % determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% % is applied. These techniques
% %
% % The FMD-91 entries need, in some cases, some interpretation to be mapped to
% % component failure symptoms, but include failure modes that can be due to internal failures.
% % The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
% %
% % Could I come in and see you Chris to quickly discuss these.
% %
% % I hope to have chapter 5 finished by the end of March, chapter 5 being the
% % electronics examples for the FMMD methodology.
%
% In this section we look in detail at two common electrical components and examine how
% the two sources of information define their failure mode behaviour.
% We look at the reasons why some known failure modes % are omitted, or presented in
% %specific but unintuitive ways.
% %We compare the US. military published failure mode specifications wi
% can be found in one source but not in the others and vice versa.
% %
% Finally we compare and contrast the failure modes determined for these components
% from the FMD-91 reference source and from the guidelines of the
% European burner standard EN298.
%
% \subsection{Failure mode determination for generic resistor.}
% \label{sec:resistorfm}
% %- Failure modes. Prescribed failure modes EN298 - FMD91
% \paragraph{Resistor failure modes according to FMD-91.}
%
%
% The resistor is a ubiquitous component in electronics, and is therefore a good candidate for detailed examination of its failure modes.
% %
% FMD-91\cite{fmd91}[3-178] lists many types of resistor
% and lists many possible failure causes.
% For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes:
% \begin{itemize}
% \item Opened 52\%
% \item Drift 31.8\%
% \item Film Imperfections 5.1\%
% \item Substrate defects 5.1\%
% \item Shorted 3.9\%
% \item Lead damage 1.9\%
% \end{itemize}
% % This information may be of interest to the manufacturer of resistors, but it does not directly
% % help a circuit designer.
% % The circuit designer is not interested in the causes of resistor failure, but to build in contingency
% % against {\fms} that the resistor could exhibit.
% % We can determine these {\fms} by converting the internal failure descriptions
% % to {\fms} thus:
% To make this useful for FMEA/FMMD we must assign each failure cause to an arbitrary failure mode descriptor
% as shown below.
% %
% %and map these failure causes to three symptoms,
% %drift (resistance value changing), open and short.
%
% \begin{itemize}
% \item Opened 52\% $\mapsto$ OPENED
% \item Drift 31.8\% $\mapsto$ DRIFT
% \item Film Imperfections 5.1\% $\mapsto$ OPEN
% \item Substrate defects 5.1\% $\mapsto$ OPEN
% \item Shorted 3.9\% $\mapsto$ SHORT
% \item Lead damage 1.9\% $\mapsto$ OPEN.
% \end{itemize}
% %
% The main causes of drift are overloading of components.
% This is borne out in in the FMD-91~\cite{fmd91}[232] entry for a resistor network where the failure
% modes do not include drift.
% %
% If we can ensure that our resistors will not be exposed to overload conditions, the
% probability of drift (sometimes called parameter change) occurring
% is significantly reduced, enough for some standards to exclude it~\cite{en298}~\cite{en230}.
%
% \paragraph{Resistor failure modes according to EN298.}
%
% EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91.
% EN298 requires that a full FMEA be undertaken, examining all failure modes
% of all electronic components~\cite{en298}[11.2 5] as part of the certification process.
% %
% Annex A of EN298, prescribes failure modes for common components
% and guidance on determining sets of failure modes for complex components (i.e. integrated circuits).
% EN298~\cite{en298}[Annex A] (for most types of resistor)
% only requires that the failure mode OPEN be considered for FMEA analysis.
% %
% For resistor types not specifically listed in EN298, the failure modes
% are considered to be either OPEN or SHORT.
% The reason that parameter change is not considered for resistors chosen for an EN298 compliant system, is that they must be must be {\em downrated}.
% That is to say the power and voltage ratings of components must be calculated
% for maximum possible exposure, with a 40\% margin of error. This reduces the probability
% that the resistors will be overloaded,
% and thus subject to drift/parameter change.
%
% % XXXXXX get ref from colin T
%
% %If a resistor was rated for instance for
%
% %These are useful for resistor manufacturersthey have three failure modes
% %EN298
% %Parameter change not considered for EN298 because the resistors are down-rated from
% %maximum possible voltage exposure -- find refs.
%
%
% % FMD-91 gives the following percentages for failure rates in
% % \label{downrate}
% % The parameter change, is usually a failure mode associated with over stressing the component.
% %In a system designed to typical safety critical constraints (as in EN298)
% %these environmentally induced failure modes need not be considered.
%
% \subsubsection{Resistor Failure Modes}
% \label{sec:res_fms}
% For this study we will take the conservative view from EN298, and consider the failure
% modes for a generic resistor to be both OPEN and SHORT.
% i.e.
% \label{ros}
% $$ fm(R) = \{ OPEN, SHORT \} . $$
%
% \subsection{Failure modes determination for generic operational amplifier}
%
% \begin{figure}[h+]
% \centering
% \includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg}
% % lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261
% \caption{Pinout for an LM358 dual OpAmp}
% \label{fig:lm258}
% \end{figure}
%
% The operational amplifier (op-amp) %is a differential amplifier and
% is very widely used in nearly all fields of modern analogue electronics.
% They are typically packaged in dual or quad configurations---meaning
% that a chip will typically contain two or four amplifiers.
% For the purpose of example, we look at
% a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358}
% (see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298.
%
% \paragraph{ Failure Modes of an OpAmp according to FMD-91 }
%
% %Literature suggests, latch up, latch down and oscillation.
% For OpAmp failures modes, FMD-91\cite{fmd91}{3-116] states,
% \begin{itemize}
% \item Degraded Output 50\% Low Slew rate - poor die attach
% \item No Operation - overstress 31.3\%
% \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier 12.5\%
% \item Opened $V_+$ open 6.3\%
% \end{itemize}
%
% Again these are mostly internal causes of failure, more of interest to the component manufacturer
% than a designer looking for the symptoms of failure.
% We need to translate these failure causes within the OpAmp into {\fms}.
% We can look at each failure cause in turn, and map it to potential {\fms} suitable for use in FMEA
% investigations.
%
% \paragraph{OpAmp failure cause: Poor Die attach}
% The symptom for this is given as a low slew rate. This means that the op-amp
% will not react quickly to changes on its input terminals.
% This is a failure symptom that may not be of concern in a slow responding system like an
% instrumentation amplifier. However, where higher frequencies are being processed,
% a signal may entirely be lost.
% We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
%
% \paragraph{No Operation - over stress}
% Here the OP\_AMP has been damaged, and the output may be held HIGH or LOW, or may be effectively tri-stated
% , i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation).
% %
% We can map this failure cause to three {\fms}, $LOW$, $HIGH$, $NOOP$.
%
% \paragraph{Shorted $V_+$ to $V_-$}
% Due to the high intrinsic gain of an op-amp, and the effect of offset currents,
% this will force the output HIGH or LOW.
% We map this failure cause to $HIGH$ or $LOW$.
%
% \paragraph{Open $V_+$}
% This failure cause will mean that the minus input will have the very high gain
% of the OpAmp applied to it, and the output will be forced HIGH or LOW.
% We map this failure cause to $HIGH$ or $LOW$.
%
% \paragraph{Collecting OpAmp failure modes from FMD-91}
% We can define an OpAmp, under FMD-91 definitions to have the following {\fms}.
% \begin{equation}
% \label{eqn:opampfms}
% fm(OpAmp) = \{ HIGH, LOW, NOOP, LOW_{slew} \}
% \end{equation}
%
%
% \paragraph{Failure Modes of an OpAmp according to EN298}
%
% EN298 does not specifically define OP\_AMPS failure modes; these can be determined
% by following a procedure for `integrated~circuits' outlined in
% annex~A~\cite{en298}[A.1 note e].
% This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios.
% We examine these failure scenarios on the dual packaged $LM358$~\cite{lm358}%\mu741$
% and determine its {\fms} in table ~\ref{tbl:lm358}.
% Collecting the op-amp failure modes from table ~\ref{tbl:lm358} we obtain the same {\fms}
% that we got from FMD-91, listed in equation~\ref{eqn:opampfms}.
%
%
%
% %\paragraph{EN298: Open and shorted pin failure symptom determination technique}
%
%
%
%
%
% \begin{table}[h+]
% \caption{LM358: EN298 Open and shorted pin failure symptom determination technique}
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% %\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\
% \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\
% \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
%
% \hline
%
% & & & & \\ \hline
%
% FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline
%
% FS2: PIN 2 OPEN & & A-input disconnected, & & \\
% & & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline
%
% FS3: PIN 3 OPEN & & A+input disconnected, & & \\
% & & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline
%
% FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
%
%
% FS5: PIN 5 OPEN & & B+input disconnected, & & \\
% & & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline
%
% FS6: PIN 6 OPEN & & B-input disconnected, & & \\
% FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline
%
%
% FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline
%
% FS8: PIN 8 OPEN & & power to chip & & \\
% FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
% & & & & \\
% & & & & \\
%
% & & & & \\ \hline
%
% FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline
%
% FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\
% & & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline
%
% FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline
%
% FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\
% & & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline
%
% FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline
%
% FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline
%
%
% \hline
% \end{tabular}
% \label{tbl:lm358}
% \end{table}
%
%
% %\clearpage
%
% \subsubsection{Failure modes of an OpAmp}
%
% \label{sec:opamp_fms}
% For the purpose of the examples to follow, the op-amp will
% have the following failure modes:-
%
% $$ fm(OPAMP) = \{ LOW, HIGH, NOOP, LOW_{slew} \} $$
%
%
% \subsection{Comparing the component failure mode sources}
%
%
% The EN298 pinouts failure mode technique cannot reveal failure modes due to internal failures.
% The FMD-91 entries for op-amps are not directly usable as
% component {\fms} in FMEA or FMMD and require interpretation.
%
% %For our OpAmp example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$)
% %is missing from the EN298 failure modes set.
%
%
% % FMD-91
% %
% % I have been working on two examples of determining failure modes of components.
% % One is from the US military document FMD-91, where internal failures
% % of components are described (with stats).
% %
% % The other is EN298 where the failure modes for generic component types are prescribed, or
% % determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% % is applied. These techniques
% %
% % The FMD-91 entries need, in some cases, some interpretation to be mapped to
% % component failure symptoms, but include failure modes that can be due to internal failures.
% % The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
% %
% % Could I come in and see you Chris to quickly discuss these.
% %
% % I hope to have chapter 5 finished by the end of March, chapter 5 being the
% % electronics examples for the FMMD methodology.
%
%
%
%
%
% \clearpage
%
%
% %%
% %% Paragraph using failure modes to build from bottom up
% %%
%
%
%
%
%
% % \section{ FMMD overview}
% %
% % In the next sections we apply FMMD to electronic circuits, analogue/digital and electronic/software hybrids.
% % The basic principles of FMMD are presented here for clarity.
% %
% % \paragraph{ Creating a fault hierarchy.}
% % The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc}
% % level up to the top, or system level, with analysis stages between each
% % transition to a higher level in the hierarchy.
% %
% %
% % The first stage is to choose
% % {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components.
% % %These parts all have associated fault modes. A module is a set fault~modes.
% % From the point of view of failure analysis,
% % we are not interested in the components themselves, but in the ways in which they can fail.
% %
% % A {\fg} is a collection of components that perform some simple task or function.
% % %
% % In order to determine how a {\fg} can fail,
% % we need to consider all the failure modes of all its components.
% % %
% % By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes,
% % we can determine its symptoms of failure.
% % %In fact we can call these
% % %the symptoms of failure for the {\fg}.
% %
% % With these symptoms (a set of derived faults from the perspective of the {\fg})
% % we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways.
% % %
% % In other words, we have taken a {\fg} and analysed how
% % \textbf{it} can fail according to the failure modes of its components, and then can
% % determine the {\fg} failure modes.
% %
% % \paragraph{Creating a derived component.}
% % We create a new `{\dc}' which has
% % the failure symptoms of the {\fg} from which it was derived, as its set of failure modes.
% % This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}.
% % %
% % \paragraph{An example of a {\dc}.}
% % To give an example of this, we could look at the components that
% % form, say an amplifier. We look at how all the components within it
% % could fail and how that would affect the amplifier.
% % %
% % The ways in which the amplifier can be affected are its symptoms.
% % %
% % When we have determined the symptoms, we can
% % create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
% % We can now treat $AMP1$ as a pre-analysed, higher level component.
% % %The amplifier is an abstract concept, in terms of the components.
% % To a make an `amplifier' we have to connect a group of components
% % in a specific configuration. This specific configuration corresponds to
% % a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
% %
% %
% % %What this means is the `fault~symptoms' of the module have been derived.
% % %
% % %When we have determined the fault~modes at the module level these can become a set of derived faults.
% % %By taking sets of derived faults (module level faults) we can combine these to form modules
% % %at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
% % %to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
% % %as parts, parts which may now be combined to create new functional groups,
% % %but as parts at a higher level of fault abstraction.
% % \paragraph{Building the Hierarchy.}
% % We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}.
% % We can bring {\dcs}
% % together to form functional groups and then create new {\dcs}
% % at even higher abstraction levels. Eventually we will have a hierarchy
% % that converges to one top level {\dc}. At this stage we have a complete failure
% % mode model of the system under investigation.
% %
% % \begin{figure}[h]
% % \centering
% % \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% % % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
% % \caption{FMMD Hierarchy showing ascending abstraction levels}
% % \label{fig:treeabslev}
% % \end{figure}
% %
% % Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
% % is shown as a `$\derivec$' symbol.
% %
% %
% %
% %
\clearpage
\section{Example Analysis: Inverting OPAMP}
\label{sec:invamp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/invamp.png}
% invamp.png: 378x207 pixel, 72dpi, 13.34x7.30 cm, bb=0 0 378 207
\caption{Inverting Amplifier Configuration}
\label{fig:invamp}
\end{figure}
%This configuration is interesting from methodology pers.
There are two obvious ways in which we can model this circuit:
One is to do this in two stages, by considering the gain resistors to be an inverted potential divider
and then combining it with the OPAMP failure mode model.
The second is to place all three components in one {\fg}.
Both approaches are followed in the next two sub-sections.
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{subsec:potdiv}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors. HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
If we can refine the operational states of the functional group, we can obtain clearer
symptoms.
If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}).
\begin{table}[h+]
\caption{Inverted Potential divider: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Pot Div Effect} & & \textbf{Symptom} \\
\hline
FS1: R1 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline
FS2: R1 OPEN & & $LOW$ & & $PDLow$ \\ \hline
FS3: R2 SHORT & & $LOW$ & & $PDLow$ \\ \hline
FS4: R2 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
\hline
\end{tabular}
\label{tbl:pdneg}
\end{table}
\begin{figure}[h]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (R1) at (0,-0.7) {$R_1$};
\node[component] (R2) at (0,-1.9) {$R_2$};
\node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$};
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-0.7) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-2.2) {$PD_{LOW}$};
\path (R1OPEN) edge (PDLOW);
\path (R2SHORT) edge (PDLOW);
\path (R2OPEN) edge (PDHIGH);
\path (R1SHORT) edge (PDHIGH);
\end{tikzpicture}
\caption{Failure symptoms of the `Inverted Potential Divider' $INVPD$}
\label{fig:pdneg}
\end{figure}
We can form a {\dc} from this, and call it an inverted potential divider $INVPD$.
We can now form a {\fg} from the OpAmp and the $INVPD$
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\textbf{Failure} & & \textbf{Inverted Amp. Effect} & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
\hline
FS1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\
FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\ \hline
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamppd}
\end{table}
%%This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
\begin{figure}[h+]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
% Draw the input layer nodes
%\foreach \name / \y in {1,...,4}
% This is the same as writing \foreach \name / \y in {1/1,2/2,3/3,4/4}
% \node[component, pin=left:Input \#\y] (I-\name) at (0,-\y) {};
\node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
\node[component] (R1) at (0,-6) {$R_1$};
\node[component] (R2) at (0,-7.6) {$R_2$};
%\node[component] (C-3) at (0,-5) {$C^0_3$};
%\node[component] (K-4) at (0,-8) {$K^0_4$};
%\node[component] (C-5) at (0,-10) {$C^0_5$};
%\node[component] (C-6) at (0,-12) {$C^0_6$};
%\node[component] (K-7) at (0,-15) {$K^0_7$};
% Draw the hidden layer nodes
%\foreach \name / \y in {1,...,5}
% \path[yshift=0.5cm]
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
% Draw the output layer node
% % Connect every node in the input layer with every node in the
% % hidden layer.
% %\foreach \source in {1,...,4}
% % \foreach \dest in {1,...,5}
\path (OPAMP) edge (OPAMPLU);
\path (OPAMP) edge (OPAMPLD);
\path (OPAMP) edge (OPAMPNP);
\path (OPAMP) edge (OPAMPLS);
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
\path (R1OPEN) edge (PDLOW);
\path (R2SHORT) edge (PDLOW);
\path (R2OPEN) edge (PDHIGH);
\path (R1SHORT) edge (PDHIGH);
\node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$};
\node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$};
\node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$};
\path (PDLOW) edge (AMPHIGH);
\path (OPAMPLU) edge (AMPHIGH);
\path (PDHIGH) edge (AMPLOW);
\path (OPAMPNP) edge (AMPLOW);
\path (OPAMPLD) edge (AMPLOW);
\path (OPAMPLS) edge (AMPLP);
\end{tikzpicture}
% End of code
\caption{Full DAG representing failure modes and symptoms of the Inverting Op-amp Circuit}
\label{fig:invdag1}
\end{figure}
%The differences are the root causes or component failure modes that
%lead to the symptoms (i.e. the symptoms are the same but causation tree will be different).
$$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
\subsection{Second Approach: Inverting OpAmp analysing with three components in one larger {\fg}}
Here we analyse the same problem without using an intermediate $PD$
derived component.
%We can use this for a more general case, because we can examine the
%effects on the circuit for each operational case (i.e. input +ve
%or input -ve), see table~\ref{tbl:invamp}.
%Because symptom collection is defined as surjective (from component failure modes
%to symptoms) we cannot have a component failure mode that maps to two different symptoms (within a functional group).
%Note that here we have a more general symptom $ OUT OF RANGE $ which could mean either
%$HIGH$ or $LOW$ output.
% 08feb2012 bugger considering -ve input. It complicates things.
% maybe do an ac amplifier later at some stage.
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis: 3 components}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\textbf{Failure} & & \textbf{Inverting Amp. Effect} & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
\hline
FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\
% FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline
FS2: R1 OPEN & & zero output & & $ LOW $ \\ \hline
% FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline
FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\
% FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\ \hline
% FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamp}
\end{table}
$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$
%Much more general. OUT OF RANGE symptom maps to many component failure modes.
%Observability problem... system. In fact can we get a metric of how observable
%a system is using the ratio of component failure modes X op states to a symptom ????
%Could further refine this if MTTF stats available for each component failure.
\clearpage
\subsection{Comparison between the two approaches}
\label{sec:invampcc}
The first analysis used two FMMD stages.
The first stage analysed an inverted potential divider %, analyses its failure modes,
giving the {\dc}(INVPD).
The second stage analysed a {\fg} comprised of the INVPD and an OpAmp.
%
The second analysis (3 components) has to look at the effects of each failure mode of each resistor
on the op-amp circuit. This meant more work for the analyst---that is
an increase in the complexity of the analysis---compared to
checking the two known failure modes
from the pre-analysed inverted potential divider against the OpAmp.
%
Both analysis strategies obtained the same failure modes for the
inverting amplifier (i.e. the same failure modes for the {\dc} INVAMP).
% METRICS The complexity comparison figures
% METRICS bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
% METRICS and for the second analysis a CC of $8.(3-2)=16$.
% CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012
%Again, for the two stage analysis, using equation~\ref{eqn:rd}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
%and for the second analysis a CC of $8.(3-2)=16$.
%If the input voltage can be negative the potential divider
%becomes reversed in polarity.
%This means that detecting which failure mode has occurred from knowing the symptom, has become a more difficult task; or in other words
%the observability of the causes of failure are reduced. Instead of the more specific symptoms $HIGH$ or $LOW$ we
%obtain $OUT OF RANGE$ instead.
\clearpage
\section{Differencing Amplifier using two op-amps}
\label{sec:diffamp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit1001.png}
% circuit1001.png: 420x300 pixel, 72dpi, 14.82x10.58 cm, bb=0 0 420 300
\caption{Circuit 1}
\label{fig:circuit1}
\end{figure}
The circuit in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$.
The circuit is configured so that both inputs use the non-inverting,
and thus high impedance inputs, meaning that they will not
electrically over-load and/or unduly influence
the sensors supplying the voltage signals used for measurement.
It would be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit.
% WE CAN RE_USE THE NONINVAMP FROM CHAPTER 4 HERE.......
% \subsection{Functional Group: Potential Divider}
% For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{subsec:potdiv}.
%
% %R1 and R2 perform as a potential divider.
% %Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A).
% %$$ fm(R) = \{ OPEN, SHORT \}$$
%
%
%
% % \begin{table}[ht]
% % \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table
% % \centering % used for centering table
% % \begin{tabular}{||l|c|c|l|l||}
% % \hline \hline
% % \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\
% % \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% % % R & wire & res + & res - & description
% % \hline
% % \hline
% % TC1: $R_1$ SHORT & LOW & & LowPD \\
% % TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline
% % TC3: $R_2$ SHORT & HIGH & & HighPD \\
% % TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline
% % \hline
% % \end{tabular}
% % \label{tbl:pdfmea}
% % \end{table}
% %
% % By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived
% % component $PD$ to represent the failure mode behaviour
% % of a potential divider.
%
% Thus for single failure modes, a potential divider can fail
% with $fm(PD) = \{PDHigh,PDLow\}$.
%
%
% The potential divider is used to program the gain of IC1.
% IC1 and PD provide the function of buffering
% /amplifying the signal $+V1$.
% We can now examine IC1 and PD as a functional group.
%
% \pagebreak[3]
% \subsection{Functional Group: Amplifier first stage}
%
% Let use now consider the op-amp. According to
% FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
% latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
%
%
% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
%
%
% By bringing the $PD$ derived component and the $OPAMP$ into
% a functional group we can analyse its failure mode behaviour.
%
%
% \begin{table}[ht]
% \caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
% \centering % used for centering table
% \begin{tabular}{||l|c|c|l|l||}
% \hline \hline
% %\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
% %\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\
% \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
%
% % R & wire & res + & res - & description
% \hline
% \hline
% TC1: $OPAMP$ LatchUP & & Output High & & AMPHigh \\
% TC2: $OPAMP$ LatchDown & & Output Low : Low gain& & AMPLow \\ \hline
% TC3: $OPAMP$ No Operation & & Output Low & & AMPLow \\
% TC4: $OPAMP$ Low Slew & & Low pass filtering & & LowPass \\ \hline
% TC5: $PD$ LowPD & & Output High & & AMPHigh \\ \hline
% TC6: $PD$ HighPD & & Output Low : Low Gain& & AMPLow \\ \hline
% %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
% \hline
% \end{tabular}
% \label{ampfmea}
% \end{table}
%
%
% Collecting the symptoms we can see that this amplifier fails
% in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$.
% We can now create a derived component, $NI\_AMP$, to represent it.
% The FMMD reasoning process is represented in the DAG in figure~\ref{fig:noninvdag11}.
%
Looking first at the components in the signal path, we notice that we have a non-inverting
amplifier formed by R1,R2 and IC1. In fact apart from being
inverted visually on the schematic it is identical to the example
used in section~\ref{sec:noninvamp} (the first practical example used to demonstrate FMMD).
We thus re-use this and can express the failure modes for it thus:
$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} .$$
%
%
% \begin{figure}[h+]
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
%
% \node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
% \node[component] (R1) at (0,-6) {$R_1$};
% \node[component] (R2) at (0,-7.6) {$R_2$};
%
%
% \node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
% \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
% \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
%
% \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
% \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
%
% \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
% \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
%
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
% \path (R1) edge (R1SHORT);
% \path (R1) edge (R1OPEN);
%
% \path (R2) edge (R2SHORT);
% \path (R2) edge (R2OPEN);
%
%
% % Potential divider failure modes
% %
% \node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
% \path (R1OPEN) edge (PDHIGH);
% \path (R2SHORT) edge (PDHIGH);
% \path (R2OPEN) edge (PDLOW);
% \path (R1SHORT) edge (PDLOW);
% \node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$};
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
%
% \end{tikzpicture}
% % End of code
% \caption{Full DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag11}
% \end{figure}
\subsection{The second Stage of the amplifier}
The second stage of this amplifier, following the signal path, is the amplifier
consisting of $R3,R4,IC2$.
%
This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier.
The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage).
This means the junction of R1 R3 is always +ve.
This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a fixed potential divider, with R4 being on the positive side.
It could be on either polarity (i.e. the other way around R4 could be the negative side).
Here it is more intuitive to model the resistors not as a potential divider, but individually.
%This means we are either going to
%get a high or low reading if R3 or R4 fail.
\begin{table}[ht]
\caption{Second Amplifier $SEC\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
\textbf{Failure} & \textbf{$SEC\_AMP$} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Amplifier Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain & AMPLow \\
TC3: $OPAMP$ No Operation & Output Low & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & LowPass \\ \hline
TC5: $R3\_open$ & +V2 follower & AMPIncorrectOutput\\
TC6: $R3\_short$ & Undefined & AMPIncorrectOutput \\
& (impedance of IC1 vs +V2) & \\ \hline
TC5: $R4\_open$ & High or Low output & AMPIncorrectOutput \\
& +V2$>$+V1 $\mapsto$ High & \\
& +V1$>$+V2 $\mapsto$ Low & \\
TC6: $R4\_short$ & +V2 follower & AMPIncorrectOutput \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in 4 ways %$\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$.
%We can now
we create a derived component, $SEC\_AMP$, to represent it
with failure modes described by:
$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$
%Its failure modes are therefore the same. We can therefore re-use
%the derived component for $NI\_AMP$
\pagebreak[4]
\subsection{Modelling the circuit}
For the final stage of this we can create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
\begin{table}[ht]
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
%\textbf{Test} & \textbf{Dual Amplifier} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{$DiffAMP$} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & opamp 2 driven low & DiffAMPHigh \\
TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & DiffAMP\_LP \\ \hline
TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & DiffAMPHigh\\
TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & DiffAMPLow \\
TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & DiffAMP\_LP \\
TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & DiffAMPIncorrect \\
& $ \neg (V2 - V1) $ & \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
We draw a directed graph (figure~\ref{fig:circuit1_dag})
of the failure modes and derived components.
%
Using this we can trace any top level fault back to
a component failure mode that could have caused it\footnote{ In fact we can
re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates.}.
This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially
when it becomes a V2 follower).
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png}
% circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145
\caption{Directed Acyclic Graph of the two op-amp differencing amplifier failure modes}
\label{fig:circuit1_dag}
\end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508
terminology is called an undetectable fault.
%
Were this failure to have safety implications this FMMD analysis will have revealed
the un-observability and would likely prompt re-design of this
circuit\footnote{A typical way to solve an un-observability such as this is
to periodically switch in test signals in place of the input signal.}
\clearpage
\section{Five Pole Low Pass Filer, using two Sallen~Key stages.}
\label{sec:fivepolelp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002.png}
% circuit2002.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{circuit 2}
\label{fig:circuit2}
\end{figure}
The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
Starting at the input, we have a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter.
The output of this is passed into another Sallen~Key filter -- which although it may have different values
for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use it
for the second stage
(avoiding the repeat work that would have had to be performed using traditional FMEA).
\begin{figure}[h]
\centering
\includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/blockdiagramcircuit2.png}
% blockdiagramcircuit2.png: 689x83 pixel, 72dpi, 24.31x2.93 cm, bb=0 0 689 83
\caption{Signal Flow through the five pole low pass filter}
\label{fig:blockdiagramcircuit2}
\end{figure}
\paragraph{First Order Low Pass Filter.}
\label{sec:lp}
We begin with the first order low pass filter formed by $R10$ and $C10$.
%
This configuration (or {\fg}) is very commonly
used in electronics to remove unwanted high frequencies/interference
from a signal; Here it is being used as a first stage of
a more sophisticated low pass filter.
%
R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being
that the impedance of the capacitor is lower for higher frequencies.
Thus higher frequencies are attenuated at the point that we
read its output signal.
However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{potdivfmmd}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the worst case two failure mode model for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
\begin{table}[h+]
\caption{FirstOrderLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
% & & \textbf{Low Pass Filter} & & \\
\textbf{Failure} & \textbf{First Order} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Low Pass Filter} & \textbf{Failure Mode} \\
\hline
FS1: R10 SHORT & $No Filtering$ & $LPnofilter$ \\ \hline
FS2: R10 OPEN & $No Signal$ & $LPnosignal$ \\ \hline
FS3: C10 SHORT & $No Signal$ & $LPnosignal$ \\ \hline
FS4: C10 OPEN & $No Filtering$ & $LPnofilter$ \\ \hline
\hline
\end{tabular}
\end{table}
We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
\paragraph{Addition of Buffer Amplifier: First stage.}
The op-amp IC1 is being used simply as a buffer. By placing it between the next stages
on the signal path, we remove the possibility of unwanted signal feedback.
The buffer is one of the simplest op-amp configurations.
It has no other components, and so we can now form a {\fg}
from the $FirstOrderLP$ and the OpAmp component.
\begin{table}[ht]
\caption{First Stage LP1: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firststage}
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{First stage LP1} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & LP1High \\
TC2: $OPAMP$ LatchDown & Output Low & LP1Low \\
TC3: $OPAMP$ No Operation & Output Low & LP1Low \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & LP1filterincorrect \\ \hline
TC5: $LPnofilter $ & No low pass filtering & LP1filterincorrect \\
TC6: $LPnosignal $ & No input signal & LP1nosignal \\ \hline
\hline
\hline
\end{tabular}
\end{table}
From the table~\ref{tbl:firststage} we can see three symptoms of failure of
the first stage of this circuit (i.e. R10,C10,IC1).
We can create a derived component for it, lets call it $LP1$.
$$ fm(LP1) = \{ LP1High, LP1Low, LP1filterincorrect, LP1nosignal \} $$
In terms of the circuit, we have modelled the functional groups $FirstOrderLP$, and
$LP1$. We can represent these on the circuit diagram by drawing contours around the components
on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/circuit2002_LP1.png}
% circuit2002_LP1.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Circuit showing functional groups modelled so far.}
\label{fig:circuit2002_LP1}
\end{figure}
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second.
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{SKLP} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & SKLPHigh \\
TC2: $OPAMP$ LatchDown & Output Low & SKLPLow \\
TC3: $OPAMP$ No Operation & Output Low & SKLPLow \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & SKLPfilterIncorrect \\ \hline
TC5: R1 OPEN & No input signal & SKLPfilterIncorrect \\
TC6: R1 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC7: R2 OPEN & No input signal & SKLPnosignal \\
TC8: R2 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC9: C1 OPEN & reduced/incorrect low pass filtering & SKLPfilterIncorrect\\
TC10: C1 SHORT & reduced/incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC11: C2 OPEN & reduced/incorrect low pass filtering & SKLPfilterIncorrect \\
TC12: C2 SHORT & No input signal, low signal & SKLPnosignal \\ \hline
\hline
\end{tabular}
\label{tbl:sallenkeylp}
\end{table}
We now can create a derived component to represent the Sallen Key low pass filter, which we can call $SKLP$.
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
\paragraph{A failure mode model of Op-Amp Circuit 2.}
We now have {\dcs} representing the three stages of this filter
and this follows the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
As the signal has to pass though each block/stage
in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg}
in order to get a failure mode model for the whole circuit.
We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}.
\begin{figure}[h]+
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png}
% circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Functional Groups in Five Pole Low Pass Filter: shown as an Euler diagram super-imposed onto the electrical schematic.}
\label{fig:circuit2002_FIVEPOLE}
\end{figure}
\pagebreak[4]
So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}.
% HTR 20OCT2012 \begin{figure}[h]+
% HTR 20OCT2012 \centering
% HTR 20OCT2012 \includegraphics[width=300pt]{CH5_Examples/circuit2h.png}
% HTR 20OCT2012 % circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603
% HTR 20OCT2012 \caption{FMMD Hierarchy for five pole Low Pass Filter}
% HTR 20OCT2012 \label{fig:circuit2h}
% HTR 20OCT2012\end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulerfivepole.png}
% eulerfivepole.png: 883x343 pixel, 72dpi, 31.15x12.10 cm, bb=0 0 883 343
\caption{Euler diagram showing {\fg}/{\dc} relationships for the analysis of the Five Pole Sallen Key filter.}
\label{fig:circuit2h}
\end{figure}
%\pagebreak[4]
%$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
%$$ fm(LP1) = \{ LP1High, LP1Low, LP1ExtraLowPass, LP1NoLowPass \} $$
\begin{table}[ht]+
\caption{Five Pole Low Pass Filter: Failure Mode Effects Analysis($FivePoleLP$): Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{$FivePoleLP$ } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $LP1$ LP1High & signal HIGH & HIGH \\
TC2: $LP1$ SKLPLow & signal LOW & LOW \\
TC3: $LP1$ LP1filterIncorrect & filtering incorrect & FilterIncorrect \\
TC4: $LP1$ LP1nosignal & no signal propagated & NO\_SIGNAL \\ \hline
TC5: $SKLP_1$ High & signal HIGH & HIGH \\
TC6: $SKLP_1$ Low & signal LOW & LOW \\
TC7: $SKLP_1$ filterIncorrect & filtering incorrect & FilterIncorrect \\
TC8: $SKLP_1$ nosignal & no signal propagated & NO\_SIGNAL \\ \hline
TC9: $SKLP_2$ High & signal HIGH & HIGH \\
TC10: $SKLP_2$ Low & signal LOW & LOW \\
TC11: $SKLP_2$ filterIncorrect & filtering incorrect & FilterIncorrect \\
TC12: $SKLP_2$ nosignal & no signal propagated & NO\_SIGNAL \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:fivepole}
\end{table}
We now can create a {\dc} to represent the circuit in figure~\ref{fig:circuit2}, we can call it
$FivePoleLP$ and applying the $fm$ function to it (see table~\ref{tbl:fivepole}) yields $fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}$.
\pagebreak[4]
The failure modes for the low pass filters are very similar, and the propagation of the signal
is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) --
three op-amp driven non-inverting low pass filter elements. It is not surprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ may be less observable.
\clearpage
\section{Quad Op-Amp Oscillator}
\label{sec:bubba}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit3003.png}
% circuit3003.png: 503x326 pixel, 72dpi, 17.74x11.50 cm, bb=0 0 503 326
\caption{Circuit 3}
\label{fig:circuit3}
\end{figure}
%\clearpage
%\section{Standard Non-inverting OP AMP}
This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37].
The circuit implements an oscillator using four 45 degree phase shifts, and an inverting amplifier to provide
gain and the final 180 degrees of phase shift (making a total of 360). % degrees of phase shift).
The circuit provides two outputs with a quadrature phase relationship.
%
From a fault finding perspective this circuit cannot be de-composed because the whole circuit is enclosed within a feedback loop.
However, this is not a problem for FMMD, as {\fgs} are readily identifiable.
The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating.
%The top level failure modes for the FMMD hierarchy bear this out.
%However, FMMD is a bottom -up analysis methodology and we can therefore still identify
%{\fgs} and apply analysis from a failure mode perspective.
%
% METRICS If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with
% METRICS ($4.4 +10 \times 2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
% METRICS We now create FMMD models and compare the complexity of FMMD and FMEA.
%
We start the FMMD process by determining {\fgs}.
We initially identify three types of functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}),
a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer
amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively.
We can use these {\fgs} to describe the circuit in block diagram form with arrows indicating the signal path, in figure~\ref{fig:bubbablock}.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png}
% bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295
\caption{Circuit 3: Electrical signal path block diagram of the `Bubba' oscillator, showing the circular circuit topology.}
\label{fig:bubbablock}
\end{figure}
We can now analyse each of these {\fgs} and create failure mode models for them, and from these
determine {\dcs}.
\subsection{Inverting Amplifier: INVAMP}
This has been analysed in section~\ref{sec:invamp}.
The inverting amplifier, as a {\dc}, has the following failure modes:
$$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS \}. $$
% METRICS and has a CC of 10.
\subsection{Phase shifter: PHS45}
This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different.
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
Our functional group for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$.
\begin{table}[h+]
\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
% & & \textbf{Low Pass Filter} & & \\
\textbf{Failure} & \textbf{$PHS45$ } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
FS1: R SHORT & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline
% 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline
FS2: R OPEN & No Signal & $nosignal$ \\ \hline
FS3: C SHORT & Grounded,No Signal & $nosignal$ \\ \hline
FS4: C OPEN & 0 degree's of phase shift & $0\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
% PHS45
$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$
%$$ CC(G_0) = 4 \times 1 = 4 $$
%23SEP2012
\subsection{Non Inverting Buffer: NIBUFF.}
The non-inverting buffer functional group, is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
Because we obtain the failure modes for $NIBUFF$ from the literature,
its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort.
$$ CC(NIBUFF) = 0 $$
%\subsection{Forming a functional group from the PHS45 and NIBUFF.}
% describe what we are doing, a buffered 45 degree phase shift element
\subsection{Bringing the functional Groups Together: FMMD model of the `Bubba' Oscillator.}
We could at this point bring all the {\dcs} together into one large functional
group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba})
or we could try to merge smaller stages.
Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy.
\subsection{FMMD Analysis using initially identified functional groups}
Our functional group for this analysis can be expressed thus:
%
%$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$
$$ G = \{ PHS45, NIBUFF, PHS45, NIBUFF, PHS45, NIBUFF PHS45, INVAMP \} ,$$
or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
% HTR 23SEP2012 \begin{figure}[h+]
% HTR 23SEP2012 \centering
% HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
% HTR 23SEP2012 % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
% HTR 23SEP2012 \caption{Bubba Oscillator: One large functional group using the initial functional groups to model oscillator.}
% HTR 23SEP2012 \label{fig:poss1finalbubba}
% HTR 23SEP2012 \end{figure}
%
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/bubba_euler_1.png}
% bubba_euler_1.png: 946x404 pixel, 72dpi, 33.37x14.25 cm, bb=0 0 946 404
\caption{Euler diagram showing the hierarchy of the initial FMMD analysis performed on the Bubba Oscillator circuit.}
\label{fig:bubbaeuler1}
\end{figure}
%
\begin{table}[h+]
\caption{Bubba Oscillator: Failure Mode Effects Analysis: One Large Functional Group} % title of Table
\label{tbl:bubbalargefg}
\begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Bubba} & & \textbf{Symptom} \\
% & & \textbf{Oscillator} & & \\
\textbf{Failure} & & \textbf{$BubbaOscillator$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
% FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS3: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS4: $NIBUFF_1$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS5: $NIBUFF_1$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS6: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS7: $PHS45_2$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS8: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
%FS10: $PHS45_2$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS9: $NIBUFF_2$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS10: $NIBUFF_2$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS11: $NIBUFF_2$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS12: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS13: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS14: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
% FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS15: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS16: $NIBUFF_3$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS17: $NIBUFF_3$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS18: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS19: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS20: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
% FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS21: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\
FS22: $INVAMP$ $ZEROOUTPUT$ & & signal lost & & $NO_{osc}$ \\
FS23: $INVAMP$ $NOGAIN$ & & signal lost & & $NO_{osc}$ \\
FS24: $INVAMP$ $LOWPASS$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS1: $CAP_{10nF}$ $OPEN$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
% FS1: $CAP_{10nF}$ $SHORT$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:bubbalargefg} we can show that for single failure modes, applying $fm$ to the bubba oscillator
returns three failure modes,
%
$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$
%
%For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
%$$ CC = 28 \times 8 = 224$$
%
%To obtain the total comparison complexity ($TCC$), we need to add the complexity from the
%{\dcs} that $BubbaOscillator$ was built from.
%
%$$ TCC = 28 \times 8 + 4 \times 4 + 4 \times 0 + 10 = 250$$
%
%As we have re-used the analysis for BUFF45 we could even reasonably remove
%$3 \times 4=12$ from this result, because the results from $BUFF45$ have been used four times.
%Traditional FMEA would have lead us to a much higher comparison complexity
%of $468$ failure modes to check against components.
%However,
The analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy.
%and hopefully
%this should lead a further reduction in the complexity comparison figure.
By decreasing the size of the modules with further refinement,
we may also discover new derived components that may be of use for other analyses in the future.
\clearpage
\subsection{FMMD Analysis of Bubba Oscillator using a finer grained modular approach (i.e. more hierarchical stages)}
The example above---from the initial {\fgs}---used one very large functional group to model the circuit.
%This mean a quite large comparison complexity for this final stage.
We should be able to determine smaller {\fgs} and refine the model further.
% HTR 23SEP2012 \begin{figure}[h+]
% HTR 23SEP2012 \centering
% HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss2finalbubba.png}
% HTR 23SEP2012 % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
% HTR 23SEP2012 \caption{Bubba Oscillator: Smaller Functional Groups, One more FMMD hierarchy stage.}
% HTR 23SEP2012 \label{fig:poss2finalbubba}
% HTR 23SEP2012 \end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/bubba_euler_2.png}
% bubba_euler_2.png: 1241x617 pixel, 72dpi, 43.78x21.77 cm, bb=0 0 1241 617
\caption{Euler diagram showing functional groupings for the Bubba oscillator using a more de-composed approach.}
\label{fig:bubbaeuler2}
\end{figure}
%
We take the pre-analysed $NIBUFF$ and $PHS45$
{\dcs} into a {\fg} giving the {\dc} $BUFF45$.
$BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
and with those three, form a $PHS135BUFFERED$
functional group.
$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter.
%
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.},
form a {\fg}
providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$.
%
%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$---
Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba})
%
%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45)
%we can combine three $BUFF45$'s to make
%a $135^{\circ}$ buffer phase shifter (PHS135BUFFERED).
%
%We can combine a $PHS45$ and a $NIBUFF$ to create
%and an amplifying $225^{\circ}$ phase shifter (PHS225AMP).
%
% By combining PHS225AMP and PHS135BUFFERED we can create a more modularised hierarchical
% model of the bubba oscillator.
% The proposed hierarchy is shown in figure~\ref{fig:poss2finalbubba}.
%
\begin{table}[h+]
\caption{BUFF45: Failure Mode Effects Analysis} % title of Table
\label{tbl:buff45}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{BUFF45} & & \textbf{Symptom} \\
% & & & & \\
\textbf{Failure} & & \textbf{$BUFF45$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
%FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline
FS3: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS4: $NIBUFF_1$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS5: $NIBUFF_1$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS6: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
%
Collecting symptoms from table~\ref{tbl:buff45}, we can create a derived component $BUFF45$ which has the following failure modes:
$$
fm (BUFF45) = \{ 0\_phaseshift, NO\_signal .\} % 90\_phaseshift,
$$
%
%$$ CC(BUFF45) = 7 \times 1 = 7 $$
%
We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}.
%
\begin{table}[h+]
\caption{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs135buffered}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{PHS135 Buffered} & & \textbf{Symptom} \\
% & & & & \\
\textbf{Failure} & & \textbf{$PHS135BUFFERED$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
%FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS3: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS4: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
% FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS5: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS6: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
% FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
%
%
Collecting symptoms from table~\ref{tbl:phs135buffered}, we can create a derived component $PHS135BUFFERED$ which has the following failure modes:
$$
fm (PHS135BUFFERED) = \{ 90\_phaseshift, NO\_signal .\} % 180\_phaseshift,
$$
%
%
%$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$
%
%
%
The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an
$INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
%
\begin{table}[h+]
\caption{PHS225AMP: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{PHS225AMP} & & \textbf{Symptom} \\
% & & \textbf{Oscillator} & & \\
\textbf{Failure} & & \textbf{$PHS225AMP$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $180\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
% FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $270\_phaseshift$ \\ \hline
FS3: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS4: $INVAMP$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS5: $INVAMP$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS6: $INVAMP$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
%
Collecting symptoms from table~\ref{tbl:phs225amp}, we can create a derived component $PHS225AMP$ which has the following failure modes:
$$
fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal .\} % 270\_phaseshift,
$$
%
%$$ CC(PHS225AMP) = 7 \times 1 $$
%
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
%
%
%
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these, to obtain a model for the Bubba Oscillator.
%
\begin{table}[h+]
\caption{BUBBAOSC: Failure Mode Effects Analysis} % title of Table
\label{tbl:bubba2}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{BUBBAOSC} & & \textbf{Symptom} \\
% & & & & \\
\textbf{Failure} & & \textbf{$BUBBAOSC$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline
%FS1: $PHS135BUFFERED$ $180\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS1: $PHS135BUFFERED$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS2: $PHS135BUFFERED$ $90\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ \hline
% FS4: $PHS225AMP$ $270\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS4: $PHS225AMP$ $180\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\
FS5: $PHS225AMP$ $NO\_signal$ & & lost signal & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
%
Collecting symptoms from table~\ref{tbl:bubba2}, we can create a derived component $BUBBAOSC$ which has the following failure modes:
$$
fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal .\} % LO_{fosc},
$$
%
%We could trace the DAGs here and ensure that both analysis strategies worked ok.....
%
%$$ CC(BUBBAOSC) = 6 \times (2-1) = 6 $$
%
%
% We can now add the comparison complexities for all levels of the analysis represented in figure~\ref{fig:poss2finalbubba}.
% We have at the lowest level two $PHS45$ {\dcs} giving a CC of 8 and $INVAMP$ with a CC of 10,
% at the next level four $BUFF45$ {\dcs} giving $(4-1).7=21$,
% and penultimately $PHS135BUFFERED$ with 6 and $PHS225AMP$ with 7.
% The final top stage of the hierarchy, $BUBBAOSC$ has a CC of 6.
% Our total comparison complexity is $58$, this contrasts with $468$ for traditional `flat' FMEA,
% and $250$ for our first stage functional groups analysis.
% This has meant a drastic reduction in the number of failure-modes to check against components.
It has %also
given us five {\dcs}, building blocks, which could potentially be re-used for similar circuitry
to analyse in the future.
%
%
\subsection{Comparing both approaches}
%
%In general with large functional groups the comparison complexity
%is higher, by an order of $O(N^2)$.
Smaller functional groups mean less by-hand checks are required.
It also means a more finely grained model. This means that
there are more {\dcs} and this increases the potential for re-use of pre-analysed {\dcs}.
% HTR The more we can modularise, the more we decimate the $O(N^2)$ effect
% HTR of complexity comparison.
%
\clearpage
\section{Sigma Delta Analogue to Digital Converter (\sd).} %($\Sigma \Delta ADC$)}
\label{sec:sigmadelta}
The following example is used to demonstrate FMMD analysis of a mixed analogue and digital circuit (see figure~\ref{fig:sigmadelta}).
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/circuit4004.png}
% circuit4004.png: 562x389 pixel, 72dpi, 19.83x13.72 cm, bb=0 0 562 389
\caption{Sigma Delta Analogue to Digital Converter}
\label{fig:sigmadelta}
\end{figure}
%
\nocite{f77}
\nocite{sccs}
\nocite{electronicssysapproach}
%
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png}
% sigma_delta_block.png: 828x367 pixel, 72dpi, 29.21x12.95 cm, bb=0 0 828 367
\caption{Electrical signal path Block diagram: \sd} % Analogue to Digital Converter }
\label{fig:sigmadeltablock}
\end{figure}
\paragraph{How the circuit works.}
A detailed description of \sd may be found in~\cite{mixedsignaldsp}[pp.69-80].
The diagram in~\ref{fig:sigmadeltablock} shows the signal path used
by this configuration for a \sd.
%
It works by placing the analogue voltage to be read into
a mixed analogue and digital feedback circuit.
%
A summing junction and integrator is used to compare the negative feedback
signal with the input.
%
The output of the integrator is converted to a digital level (by IC2)
%digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
%which acts as a comparator,
and fed to the D type flip flop.
%
The output of the flip flop forms a bit pattern representing the value
of the input voltage.
%
The output of the flip flop is also routed to the feedback.
It is level converted to an analogue signal
(i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage)
and fed into the summing integrator completing the negative feedback loop.
%
In essence this implements an over-sampling analogue to digital converter~\cite{ehb}[pp.729-730].
\subsection{FMMD analysis of \sd }
%The partslist for the \sd :
%
%$$\{ IC1, IC2, IC3, IC4, R1, R2, R3, R4, C1 \} $$.
%
The parts for the \sd are a mixture of analogue (resistors, capacitors, OpAmps) and digital
(D type flip flop, and a digital clock). We examine the failure modes of all components in this circuit below.
%
IC1,2 and 3 are all OpAmps and we have failure modes from section~\ref{sec:opamp_fms}.
%
$$ fm(OPAMP) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} $$
%
We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], the CD4013B~\cite{cd4013Bds},
and obtain its failure modes, which we can express using the $fm$ function:
%%
$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
%
The resistors and capacitor failure modes we take from EN298~\cite{en298}[An.A]
%
$$ fm ( R ) = \{OPEN, SHORT\} $$
%
$$ fm ( C ) = \{OPEN, SHORT\} $$
%
We are also given a CLOCK. For the purpose of example we shall attribute
one failure mode to this, that it might stop.
%
$$ fm ( CLOCK ) = \{ STOPPED \} $$
\subsection{Identifying initial {\fgs}}
\subsubsection{Summing Junction Integrator (SUMJINT)}
We now need to choose {\fgs}. The most obvious way to find initial {\fgs} id
to follow the signal path. The signal path is circular, but we can start
with the input voltage, which is applied via $R2$, we term this voltage $V_{in}$.
%
The feedback voltage for the ADC is supplied via $R1$, we term this voltage as $V_{fb}$.
%The input voltage is supplied via $R2$ and we term this voltage as $V_{in}$.
$R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided
by the capacitor C1 and the opamp IC1.
This can be our first {\fg} and we analyse it in table~\ref{tbl:sumjint}.
%For the symptoms, we have to think in terms of the effect
%on its performance as a summing junction and not be
%distracted by the integrator formed by $C_1$ and $IC1$.
%
$$FG = \{R1, R2, IC1, C1 \}$$
\begin{table}[h+]
\center
\caption{Summing Junction Integrator($SUMJINT$): Failure Mode Effects Analysis} % title of Table
\label{tbl:sumjint}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result} & & \textbf{Symptom} \\
% & & & & \\
\textbf{Failure} & & \textbf{$SUMJINT$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline\hline
FS1: $R1$ $OPEN$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\
FS2: $R1$ $SHORT$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\ \hline
FS3: $R2$ $OPEN$ & & $V_{fb}$ dominates input & & $V_{fb} DOM$ \\
FS4: $R2$ $SHORT$ & & $V_{in}$ dominates input & & $V_{in} DOM$ \\ \hline
FS5: $IC1$ $HIGH$ & & output perm. high & & HIGH \\
FS6: $IC1$ $LOW$ & & output perm. low & & LOW \\ \hline
FS7: $IC1$ $NOOP$ & & no current to drive C1 & & NO\_INTEGRATION \\
FS8: $IC1$ $LOW\_SLEW$ & & signal delay to C1 & & NO\_INTEGRATION \\ \hline
FS9: $C1$ $OPEN$ & & no capacitance & & NO\_INTEGRATION \\
FS10: $C1$ $SHORT$ & & no capacitance & & NO\_INTEGRATION \\ \hline
% \hline
% FS1: $IC2$ $HIGH$ & & output perm. high & & HIGH \\
% FS2: $IC2$ $LOW$ & & output perm. low & & LOW \\ \hline
% FS3: $IC2$ $NOOP$ & & no current drive & & LOW \\
% FS4: $IC2$ $LOW\_SLEW$ & & delayed signal & & LOW\_SLEW \\ \hline
% \hline
\hline
\end{tabular}
\end{table}
%
%
% \end{tabular}
% \end{table}
From the analysis in table~\ref{tbl:sumjint} we collect symptoms.
We create the derived component
$SUMJINT$ and assign it the failure modes collected above.% which has the failure modes from collecting its symptoms.
We now state:
$$ fm(SUMJUINT) = \{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
That is the failure modes of our new {\dc} $SUMJINT$ are $$\{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
\clearpage
\subsubsection{High Impedance Signal Buffer (HISB)}
Next in the signal path (see figure~\ref{fig:sigmadeltablock}) is a signal buffer.
This presents a high impedance to the circuit driving it.
This prevents electrical loading, and thus interference with, the SUMJINT stage.
This is simply an op-amp
with the input connected to the +ve input and the -ve input grounded.
It therefore has the failure modes of an Op-amp.
\begin{table}[h+]
\center
% \center
\caption{ High Impedance Signal Buffer : Failure Mode Effects Analysis} % title of Table
This is an OpAmp in a signal buffer configuration.
As it is performing one particular function
we my consider it as a derived component, that of a High Impedance Signal Buffer (HISB).
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result} & & \textbf{Symptom} \\
% & & & & \\
\textbf{Failure} & & \textbf{$HISB$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline\hline
FS1: $IC2$ $HIGH$ & & output perm. high & & HIGH \\
FS2: $IC2$ $LOW$ & & output perm. low & & LOW \\
FS3: $IC2$ $NOOP$ & & no current to output & & $NOOP$ \\
FS4: $IC2$ $LOW\_SLEW$ & & delay signal & & $LOW\_{SLEW}$ \\ \hline
\end{tabular}
\end{table}
% \hline
%
% \end{tabular}
% \end{table}
We create the {\dc} $HISB$ and its failure mode may be stated as $$fm(HISB) = \{HIGH, LOW, NOOP, LOW_{SLEW} \}$$.
\subsubsection{Digital level to analogue level conversion ($DL2AL$).}
The integrator is implemented in digital electronics, but the output from the D type flip flop is a digital signal.
A conversion stage is required to interface these stages.
Digital level to analogue level conversion is performed by IC3 in conjunction with a potential divider formed by R3,R4.
The potential divider provides a mid rail reference voltage
to the inverting input of IC3.
\paragraph{Potential divider Formed by R3,R4.}
We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$
to represent the potential divider formed by R3 and R4. Because PD is a derived component, we can denote this
by super-scripting it with its abstraction level of 1, thus $PD$.
$$
fm(PD) = \{ HIGH, LOW \}.
$$
%
IC3 is an op-amp and has the failure modes
$$fm(IC3) = \{\{ HIGH, LOW, NOOP, LOW\_SLEW \} . $$
%
The digital signal is supplied to the non-inverting input.
The output is a voltage level in the analogue domain $-V$ or $+V$.
%
We now form a {\fg} from $PD $ and $IC3$.
%
$$ FG = \{ PD , IC3 \} $$
%
We now analyse the {\fg} $G $ in table~\ref{tbl:DS2AS}.
\begin{table}[h+]
\center
\caption{$PD , IC3$ Digital level to analogue level converter: Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
% & & & & \\
% & & & & \\
\textbf{Failure} & & \textbf{$DS2AL$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline \hline
FS1: $PD $ $HIGH$ & & output perm. low & & LOW \\
FS2: $PD $ $LOW$ & & output perm. low & & HIGH \\ \hline
\hline
FS3: $IC3$ $HIGH$ & & output perm. high & & HIGH \\
FS4: $IC3$ $LOW$ & & output perm. low & & LOW \\
FS5: $IC3$ $NOOP$ & & no current drive & & LOW \\
FS6: $IC3$ $LOW\_{SLEW}$ & & delayed signal & & $LOW\_{SLEW}$ \\ \hline
\hline
\end{tabular}
\end{table}
We collect the symptoms of failure $\{ LOW, HIGH, LOW\_{SLEW} \}$.
We can now derive a new component to represent the level conversion and call it $DL2AL$.
$$ DL2AL = D(FG = \{ PD , IC3 \}) $$
$$ fm (DL2AL) = \{ LOW, HIGH, LOW\_{SLEW} \} $$
\clearpage
\subsubsection{$DIGBUF$ --- digital clocked memory (flip-flop).}
%
% This is a single component as a {\fg}, and we can state
% $$ fm (DCM) = \{ HIGH, LOW, NOOP \} $$
The digital element of the {\sd}, is the one bit memory, or D type flip flop. This
buffers the feedback result and provides the output bit stream.
We create a {\fg} from the CLOCK and IC4 to model this digital buffer.
$$FG = \{ IC4, CLOCK \}$$
%% DIGBUF --- Digital Buffer
We now analyse this {\fg} in table~\ref{tbl:digbuf}.
\begin{table}[h+]
\center
\caption{$ IC4, CLOCK $ Digital Buffer: Failure Mode Effects Analysis} % title of Table
\label{tbl:digbuf}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
% & & & & \\
% & & & & \\
\textbf{Failure} & & \textbf{$DIGBUF$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
%$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
\hline \hline
FS1: $CLOCK$ $STOPPED$ & & buffer stopped & & STOPPED \\ \hline
FS2: $IC4$ $HIGH$ & & buffer stopped & & STOPPED \\
FS3: $IC4$ $LOW$ & & buffer stopped & & STOPPED \\
FS4: $IC4$ $NOOP$ & & no current drive & & LOW \\ \hline
\hline
\hline
\end{tabular}
\end{table}
We collect the symptoms of failure $\{ LOW, STOPPED \}$.
We can now derive a new component to represent the digital buffer and call it $DIGBUF$.
$$ fm (DIGBUF) = \{ LOW, STOPPED \} $$
%%% END DIGBUF
\subsection{First {\fgs} analysed}
We have analysed the initial {\fgs} and
have created our first {\dcs}. %and can now take stock of the situation
%and see what is now required.
%Figure~\ref{fig:sigdel1} shows which {\fgs} we have analysed so far.
%hierarchy has been built.
These are:
\begin{itemize}
\item SUMJINT --- A summing junction and integrator,
\item HISB --- A High impedance buffer,
\item DIGITALBUFF --- A one bit digital buffer,
\item DL2AL --- A digital to analog level converter.
\item DIGBUF --- A digital one bit buffer/memory
\end{itemize}
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
We now use these {\dcs} to create higher level {\fgs}.
%to represent the failure mode
%behaviour of the $\Sigma \Delta ADC$.
We represent this
in the Euler diagram in figure~\ref{fig:eulersd}.
The next stage is to create {\fgs} from these initial {\dcs}
and make a complete failure mode mode for the {\sd}.
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulersd.png}
% eulersd.png: 1018x334 pixel, 72dpi, 35.91x11.78 cm, bb=0 0 1018 334
\caption{Euler diagram showing the initial {\dcs} used to model the $\Sigma \Delta ADC$}
\label{fig:eulersd}
\end{figure}
%
% \begin{figure}[h+]
% \centering
% \includegraphics[width=400pt]{./CH5_Examples/sigdel1.png}
% % sigdel1.png: 766x618 pixel, 72dpi, 27.02x21.80 cm, bb=0 0 766 618
% \caption{First stage of FMMD analysis: Sigma delta Converter}
% \label{fig:sigdel1}
% \end{figure}
\clearpage
\subsubsection{{\fg} $HISB$ and $SUMJINT$}
We now form a {\fg} with the two derived components $HISB$ and $SUMJINT$.
This forms a buffered integrating summing junction which we analyse in table~\ref{tbl:BISJ}.
$$ FG = \{ HISB, SUMJINT \} $$
\begin{table}[h+]
\caption{ $HISB , SUMJINT$ buffered integrating summing junction($BISJ$): Failure Mode Effects Analysis} % title of Table
\label{tbl:DS2AS}
\begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
% & & & & \\
% & & & & \\
\textbf{Failure} & & \textbf{$BISJ$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline \hline
FS1: $SUMJINT$ $V_{in} DOM$ & & output integral of $V_{in}$ & & $OUTPUT STUCK$ \\
FS2: $SUMJINT$ $V_{fb} DOM$ & & output integral of $V_{fb}$ & & $OUTPUT STUCK$ \\
% $$ fm(SUMJUINT^1_0) = \{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
FS3: $SUMJINT$ $NO\_INTEGRATION$ & & output stuck high or low & & $OUTPUT STUCK$ \\
FS4: $SUMJINT$ $HIGH$ & & output stuck high & & $OUTPUT STUCK$ \\
FS5: $SUMJINT$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline
%\hline
FS6: $HISB$ $HIGH$ & & output perm. high & & $OUTPUT STUCK$ \\
FS7: $HISB$ $LOW$ & & output perm. low & & $OUTPUT STUCK$ \\
FS8: $HISB$ $ NO\_INTEGRATION$ & & no current drive & & $OUTPUT STUCK$ \\
FS9: $HISB$ $LOW\_SLEW$ & & delayed signal & & $REDUCED\_INTEGRATION$ \\ \hline
\hline
\end{tabular}
\end{table}
We now collect the symptoms of failure $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$, and create a {\dc}
called $BISJ$.
\subsubsection{{\fg} $DL2AL$ and $DIGBUF$}
%$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$
%$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
The functional group formed by $DIGBUF$ and $DL2AL$ takes the flip flop clocked and buffered
value, and outputs it at analogue voltage levels for the summing junction.
$ FG = \{ DIGBUF, DL2AL \} $
We analyse the buffered flip flop circuitry in table~\ref{tbl:digbuf}.
\begin{table}[h+]
\caption{ $DIGBUF,DL2AL$ flip flop buffered($FFB$): Failure Mode Effects Analysis} % title of Table
\label{tbl:digbuf}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
% & & & & \\
% & & & & \\
\textbf{Failure} & & \textbf{$DIGBUF$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline \hline
FS1: $DIGBUF$ $STOPPED$ & & output stuck & & $OUTPUT STUCK$ \\
FS2: $DIGBUF$ $LOW$ & & output stuck low & & $OUTPUT STUCK$ \\
\\ \hline
%\hline
FS3: $DL2AL$ $LOW$ & & output perm. high & & $OUTPUT STUCK$ \\
FS4: $DL2AL$ $HIGH$ & & output perm. low & & $OUTPUT STUCK$ \\ \hline
FS5: $DL2AL$ $LOW\_SLEW$ & & no current drive & & $LOW\_SLEW$ \\
\hline
\hline
\end{tabular}
\end{table}
We now collect symptoms $\{OUTPUT STUCK, LOW\_SLEW\}$ and create a {\dc} %at the third level of symptom abstraction
called $FFB$.
\clearpage
\subsection{Final, top level {\fg} for sigma delta Converter}
We now have two {\dcs}, $FFB$ and $BISJ$.
These together represent all base components within this circuit.
We form a final functional group with these:
$$ FG = \{ FFB , BISJ \} .$$
We analyse the buffered {\sd} circuit in table~\ref{tbl:sdadc}.
%
% FFB^3 $\{OUTPUT STUCK, LOW\_SLEW\}$
% BISJ^2 $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$
%
\begin{table}[h+]
\caption{ $FFB , BISJ $ \sd ($SDADC$): Failure Mode Effects Analysis} % title of Table
\label{tbl:sdadc}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{failure result } & & \textbf{Symptom} \\
% & & & & \\
% & & & & \\
\textbf{Failure} & & \textbf{$FFB$ } & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{Effect} & & \textbf{Failure Mode} \\
\hline \hline
FS1: $FFB$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\
FS2: $FFB$ $LOW\_SLEW$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\
% FS3: $IC4^0$ $NOOP$ & & output stuck low & & $OUTPUT STUCK$ \\ \hline
%\hline
FS3: $BISJ$ $OUTPUT STUCK$ & & value max high or low & & $OUTPUT\_OUT\_OF\_RANGE$ \\
FS4: $BISJ$ $REDUCED\_INTEGRATION$ & & values will appear larger & & $OUTPUT\_INCORRECT$ \\ \hline
\hline
\end{tabular}
\end{table}
%\clearpage
We now collect the symptoms for the \sd $ \;
\{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$.
We can now create a {\dc} to represent the analogue to digital converter, $SADC^4$.
$$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$
We now show the final {\dc} hierarchy in figure~\ref{fig:eulersdfinal}.
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulersdfinal.png}
% eulersd.png: 1018x334 pixel, 72dpi, 35.91x11.78 cm, bb=0 0 1018 334
\caption{Euler diagram showing the final {\dcs} used to model the $\Sigma \Delta ADC$}
\label{fig:eulersdfinal}
\end{figure}
% \begin{figure}[h]
% \centering
% \includegraphics[width=400pt]{./CH5_Examples/sdadc.png}
% % sdadc.png: 886x1134 pixel, 72dpi, 31.26x40.01 cm, bb=0 0 886 1134
% \caption{FMMD Analysis hierarchy for the {\sd}}
% \label{fig:sdadc}
% \end{figure}
\clearpage
% ]
% into
%
% A summing integrator
% adds the voltage input to the feedback signal.
% The digital circuitry tries to
% apply a voltage to the integrator that will
% produce a zero output... doh this is difficult to describe.
% %
% The input voltage is summed with the feedback from the circuit
% and is fed into a comparator (IC2) that will output a plus or minus.
% This is fed into the input (D) of a DQ flip flop.
% This digitally buffers the output from the comparator.
% The output from the from the DQ flkip flop is a digital representation
% of the input voltage.
% The output from the DQ is sent to the digital comparator formed by R3,R4
% and IC3.
% The output from this is sent to the summing integrator as the signal summed with the input.
% The resistors R1, R2 form a summing junction
% to the negative input of IC1.
% Using the earlier definition for resistor failure modes,
% $fm(R)= \{OPEN, SHORT\}$, we analyse the summing junction
% in table~\ref{tbl:sumjunct} below.
%
% \begin{table}[h+]
% \caption{Summing Junction: Failure Mode Effects Analysis: Single Faults} % title of Table
% \label{tbl:sumjunct}
%
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Summing} & & \textbf{Symptom} \\
% & & \textbf{Junction} & & \\
% \hline
% FS1: R1 SHORT & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
% FS2: R1 OPEN & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS3: R2 SHORT & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS4: R2 OPEN & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
%
% \hline
%
% \end{tabular}
% \end{table}
% % PHS45
%
% This summing junction fails with two symptoms. We create a {\dc} called $SUMJUNCT$ and we can state,
% $$fm(SUMJUNCT) = \{ R1\_IN\_DOM, R2\_IN\_DOM \} $$.
%The D type flip flop
%\subsection{FMMD Process applied to $\Sigma \Delta $ADC}.
%T%he block diagram in figure~\ref{fig
\section{Applying FMMD to Software}
\label{sec:elecsw}
FMMD can be applied to software, and thus we can build complete failure models
of typical modern safety critical systems.
With modular FMEA i.e. FMMD %(FMMD)
we have the concepts of failure~modes
of components, {\fgs} and symptoms of failure for a functional group.
A programmatic function has similarities with a {\fg} as defined by the FMMD process.
%
An FMMD {\fg} is placed into a hierarchy.
A Software function is placed into a hierarchy, that of its call-tree.
A software function typically calls other functions and uses data sources via hardware interaction, which could be viewed as its `components'.
It has outputs, i.e. it can perform actions
on data or hardware
which will be used by functions that may call it.
We can map a software function to a {\fg} in FMMD. Its failure modes
are the failure modes of the software components (other functions it calls)
and the hardware its reads values from.
Its outputs are the data it changes, or the hardware actions it performs.
%%
%% Talk about how software specification will often say how hardware
%% will react and how to interpret readings---but they do not
%% always cover the failure modes of the hardware being interfaced too.
When we have analysed a software function---using failure conditions
of its inputs as failure modes---we can
determine its symptoms of failure (i.e. how calling functions will see its failure mode behaviour).
We can thus apply the $\derivec$ process to software functions, by viewing them in terms of their failure
mode behaviour. To simplify things as well, software already fits into a hierarchy.
For Electronics and Mechanical systems, although we may be guided by the original designers
concepts of modularity and sub-systems in design, applying FMMD means deciding on the members for {\fgs}
and the subsequent hierarchy. With software already written, that hierarchy is fixed.
% map the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
%
%However, we need to map a the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
% failure modes of a function in order to
%map FMMD to software.
% map the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
%
%However, we need to map a the FMMD concepts of {\fms}, {\fgs} and {\dcs}
%to software functions.
% failure modes of a function in order to
%map FMMD to software.
\subsection{Software, a natural hierarchy}
Software written for safety critical systems is usually constrained to
be modular~\cite{en61508}[3] and non recursive~\cite{misra}[15.2]. %{iec61511}.
Because of this we can assume a direct call tree. Functions call functions
from the top down and eventually call the lowest level library or IO
functions that interact with hardware/electronics.
What is potentially difficult with a software function, is deciding what
its failure modes and symptoms are.
With electronic components, we can use literature to point us to suitable sets of
{\fms}~\cite{fmd91}~\cite{mil1991}~\cite{en298}.%~\cite{en61508}~\cite{en298}.
With software, only some library functions are well known and rigorously documented
enough to have the equivalent of known failure modes.
Most software is `bespoke'. We need a different strategy to
describe the failure mode behaviour of software functions.
We can use definitions from contract programming to assist here.
\subsection{Contract programming description}
Contract programming is a discipline~\cite{dbcbe} for building software functions in a controlled
and traceable way. Each function is subject to pre-conditions (constraints on its inputs),
post-conditions (constraints on its outputs) and function wide invariants (rules).
\paragraph{Mapping contract `pre-condition' violations to failure modes.}
A precondition, or requirement for a contract software function
defines the correct ranges of input conditions for the function
to operate successfully.
%
For a software function, a violation of a pre-condition is
in effect a failure mode of `one of its components'.
\paragraph{Mapping contract `post-condition' violations to symptoms.}
A post condition is a definition of correct behaviour by a function.
A violated post condition is a symptom of failure, or derived failure mode, of a function.
Post conditions could be either actions performed (i.e. the state of hardware changed) or an output value of a function.
\paragraph{Mapping contract `invariant' violations to symptoms and failure modes.}
Invariants in contract programming may apply to inputs to the function (where violations can be considered {\fms} in FMMD terminology),
and to outputs (where violations can be considered {failure symptoms} in FMMD terminology).
\subsection{Combined Hardware/Software FMMD}
For the purpose of example, we chose a simple common safety critical industrial circuit
that is nearly always used in conjunction with a programmatic element.
A common method for delivering a quantitative value in analogue electronics is
to supply a current signal to represent the value to be sent~\cite{aoe}[p.934].
Usually, $4mA$ represents a zero or starting value and $20mA$ represents the full scale,
and this is referred to as {\ft} signalling.
%
{\ft} signalling has intrinsic electrical safety advantages.
%
Because the current in a loop is constant~\cite{aoe}[p.20]
resistance in the wires between the source and receiving end is not an issue
that can alter the accuracy of the signal.
%
%This circuit has many advantages for safety.
If the signal becomes disconnected
it reads $0mA$ at the receiving end: as this is outside the {\ft} range
it is easy to detect as an error condition rather than an incorrect value.
%
Should the driving electronics go wrong at the source end, it will usually
supply far too little or far too much current, also making error conditions easy to detect.
%
At the receiving end, we only require one simple component to convert the
current signal into a voltage that we can read with an ADC: a resistor. % the humble resistor!
%BLOCK DIAGRAM HERE WITH FT CIRCUIT LOOP
\begin{figure}[h]
\centering
\includegraphics[width=230pt]{./CH5_Examples/ftcontext.png}
% ftcontext.png: 767x385 pixel, 72dpi, 27.06x13.58 cm, bb=0 0 767 385
\caption{Context Diagram for {\ft} loop}
\label{fig:ftcontext}
\end{figure}
The diagram in figure~\ref{fig:ftcontext}, shows some equipment which is sending a {\ft}
signal to a micro-controller system.
The signal is locally driven over a load resistor, and then read into the micro-controller via
an ADC and its multiplexer.
With the voltage detected at the ADC the multiplexer can read the intended quantitative
value from the external equipment.
\subsection{Simple Software Example}
Consider a software function that reads a {\ft} input, and returns a value between 0 and 999 (i.e. per mil $\permil$)
representing the current detected with an additional error indication flag .
%
Let us assume the {\ft} detection is via a \ohms{220} resistor, and that we read a voltage
from an ADC into the software.
Let us define any value outside the 4mA to 20mA range as an error condition.
%
As a voltage, we use ohms law~\cite{aoe} to determine the voltage ranges: $V=IR$, $0.004A * \ohms{220} = 0.88V$
and $0.020A * \ohms{220} = 4.4V$.
%
Our acceptable voltage range is therefore
$$(V \ge 0.88) \wedge (V \le 4.4) \; .$$
This voltage range forms our input requirement and can be considered as an invariant condition.
%
We can now examine a software function that performs a conversion from the voltage read to
a per~mil representation of the {\ft} input current.
%
For the purpose of example the `C' programming language~\cite{DBLP:books/ph/KernighanR88} is used.
We initially assume a function \textbf{read\_ADC} which returns a floating point %double precision
value which represents the voltage read (see code sample in figure~\ref{fig:code_read_4_20_input}).
%%{\vbox{
\begin{figure}[h+]
\footnotesize
\begin{verbatim}
/***********************************************/
/* read_4_20_input() */
/***********************************************/
/* Software function to read 4mA to 20mA input */
/* returns a value from 0-999 proportional */
/* to the current input. */
/***********************************************/
int read_4_20_input ( int * value ) {
double input_volts;
int error_flag;
/* require: input from ADC to be
between 0.88 and 4.4 volts */
input_volts = read_ADC(INPUT_4_20_mA);
if ( input_volts < 0.88 || input_volts > 4.4 ) {
error_flag = 1; /* Error flag set to TRUE */
}
else {
*value = (input_volts - 0.88) * ( 4.4 - 0.88 ) * 999.0;
error_flag = 0; /* indicate current input in range */
}
/* ensure: value is proportional (0-999) to the
4 to 20mA input */
return error_flag;
}
\end{verbatim}
%}
%}\clearpage
\caption{Software Function: \textbf{read\_4\_20\_input}}
\label{fig:code_read_4_20_input}
%\label{fig:420i}
\end{figure}
\clearpage
We now look at the function called by \textbf{read\_4\_20\_input}, \textbf{read\_ADC}, which returns a
voltage for a given ADC channel.
%
This function
deals directly with the hardware in the micro-controller that we are running the software on.
%
Its job is to select the correct channel (ADC multiplexer) and then to initiate a
conversion by setting an ADC 'go' bit (see code sample in figure~\ref{fig:code_read_ADC}).
%
It takes the raw ADC reading and converts it into a
floating point\footnote{the type, `double' or `double precision', is a
standard C language floating point type~\cite{DBLP:books/ph/KernighanR88}.}
voltage value.
%{\vbox{
\begin{figure}[h+]
\footnotesize
\begin{verbatim}
/***********************************************/
/* read_ADC() */
/***********************************************/
/* Software function to read voltage from a */
/* specified ADC MUX channel */
/* Assume 10 ADC MUX channels 0..9 */
/* ADC_CHAN_RANGE = 9 */
/* Assume ADC is 12 bit and ADCRANGE = 4096 */
/* returns voltage read as double precision */
/***********************************************/
double read_ADC( int channel ) {
int timeout = 0;
/* require: a) input channel from ADC to be
in valid ADC range
b) voltage ref is 0.1% of 5V */
/* return out of range result */
/* if invalid channel selected */
if ( channnel > ADC_CHAN_RANGE )
return -2.0;
/* set the multiplexer to the desired channel */
ADCMUX = channel;
ADCGO = 1; /* initiate ADC conversion hardware */
/* wait for ADC conversion with timeout */
while ( ADCGO == 1 || timeout < 100 )
timeout++;
if ( timeout < 100 )
dval = (double) ADCOUT * 5.0 / ADCRANGE;
else
dval = -1.0; /* indicate invalid reading */
/* return voltage as a floating point value */
/* ensure: value is voltage input to within 0.1% */
return dval;
}
\end{verbatim}
\caption{Software Function: \textbf{read\_ADC}}
\label{fig:code_read_ADC}
\end{figure}
%}
%}
\clearpage
We now have a very simple software structure, a call tree, shown in figure~\ref{fig:ct1}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt]{./CH5_Examples/ct1.png}
% ct1.png: 151x224 pixel, 72dpi, 5.33x7.90 cm, bb=0 0 151 224
\caption{Call tree for software example}
\label{fig:ct1}
\end{figure}
This software is above the hardware in the conceptual call tree---from a programmatic perspective---%in software terms---the
software is reading values from the `lower~level' electronics.
%
FMEA is always a bottom-up process and so we must begin with this hardware.
%
The hardware is simply a load resistor, connected across an ADC input
pin on the micro-controller and ground.
%
We can identify the resistor and the ADC module of the micro-controller as
the base components in this design.
%
We now apply FMMD starting with the hardware.
\subsection{FMMD Process}
\paragraph{Functional Group - Convert mA to Voltage - CMATV}
This functional group contains the load resistor
and the physical Analogue to Digital Converter (ADC).
Our functional group, $G_1$ is thus the set of base components: $G_1 = \{R, ADC\}$.
We now determine the {\fms} of all the components in $G_1$.
For the resistor we can use a failure mode set from the literature~\cite{en298}.
Where the function $fm$ returns a set of failure modes for a given component we can state:
$$ fm(R) = \{OPEN,SHORT\}. $$
\vbox{
For the ADC we can determine the following failure modes:
\begin{itemize}
\item STUCKAT --- The ADC outputs a constant value,
\item MUXFAIL --- The ADC cannot select its input channel correctly,
\item LOW --- The ADC output is always LOW, or zero ADC counts,
\item HIGH --- The ADC output is always HIGH, or max ADC counts.
\end{itemize}
}
We can use the function $fm$ to define the {\fms} of an ADC thus:
$$ fm(ADC) = \{ STUCKAT, MUXFAIL,LOW, HIGH \}. $$
With these failure modes, we can analyse our first functional group, see table~\ref{tbl:cmatv}.
{
\tiny
\begin{table}[h+]
\center
\caption{$G_1$: Failure Mode Effects Analysis} % title of Table
\label{tbl:cmatv}
\begin{tabular}{|| l | c | l ||} \hline
%\textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
%\textbf{Scenario} & \textbf{effect} & \textbf{ADC } \\ \hline
% & & & & \\
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline \hline
1: $R_{OPEN}$ & resistor open, & $HIGH$ \\
& voltage on pin high & \\ \hline
2: $R_{SHORT}$ & resistor shorted, & $LOW$ \\
& voltage on pin low & \\ \hline \hline
3: $ADC_{STUCKAT}$ & ADC reads out & $V\_ERR$ \\
& fixed value & \\ \hline
4: $ADC_{MUXFAIL}$ & ADC may read & $V\_ERR$ \\
& wrong channel & \\ \hline
5: $ADC_{LOW}$ & output low & $LOW$ \\
6: $ADC_{HIGH}$ & output high & $HIGH$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now collect the symptoms for the hardware functional group, $\{ HIGH , LOW, V\_ERR \} $.
We now create a {\dc} to represent this called $CMATV$.
We can express this using the `$\derivec$' function thus:
$$ CMATV = \; \derivec (G_1) .$$
As its failure modes, are the symptoms of failure from the functional group we can now state:
$$fm ( CMATV ) = \{ HIGH , LOW, V\_ERR \} .$$
\paragraph{Functional Group - Software - Read\_ADC - RADC}
The software function $Read\_ADC$ uses the ADC hardware analysed
as the {\dc} CMATV above.
The code fragment in figure~\ref{fig:code_read_ADC} states pre-conditions, as
{\em/* require: a) input channel from ADC to be
in valid ADC range
b) voltage ref is 0.1\% of 5V */}.
%
From the above contractual programming requirements, we see that
the function must be sent the correct channel number.
%
A violation of this can be considered a {\fm} of the function,
which we can call $ CHAN\_NO $.
%
The reference voltage for the ADC has a 0.1\% accuracy requirement.
%
If the reference value is outside of this, it is also a {\fm}
of this function, which we can call $V\_REF$.
Taken as a component for use in FMEA/FMMD our function has
two failure modes. We can therefore treat it as a generic component, $Read\_ADC$,
by stating:
$$ fm(Read\_ADC) = \{ CHAN\_NO, VREF \} $$
As we have a failure mode model for our function, we can now use it in conjunction with
with the ADC hardware {\dc} CMATV, to form a {\fg} $G_2$, where $G_2 =\{ CMSTV, Read\_ADC \}$.
We now analyse this hardware/software combined {\fg}.
{
\tiny
\begin{table}[h+]
\caption{$G_2$: Failure Mode Effects Analysis} % title of Table
\label{tbl:radc}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
1: ${CHAN\_NO}$ & wrong voltage & $VV\_ERR$ \\
& read & \\ \hline
2: ${VREF}$ & ADC volt-ref & $VV\_ERR$ \\
& incorrect & \\ \hline \hline
3: $CMATV_{V\_ERR}$ & voltage value & $VV\_ERR$ \\
& incorrect & \\ \hline
4: $CMATV_{HIGH}$ & ADC may read & $HIGH$ \\
& wrong channel & \\ \hline
5: $CMATV_{LOW}$ & output low & $LOW$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
We now collect the symptoms of failure for the {\fg} analysed (see table~\ref{tbl:radc})
as $\{ VV\_ERR, HIGH, LOW \}$. We can add as well the violation of the postcondition
for the function.
This postcondition, {\em /* ensure: value is voltage input to within 0.1\% */ },
corresponds to $VV\_ERR$, and is already in the {\fm} set for this {\fg}.
We can now create a {\dc} called $RADC$ thus: $$RADC = \; \derivec(G_2)$$ which has the following
{\fms}:
$$ fm(RADC) = \{ VV\_ERR, HIGH, LOW \} .$$
\paragraph{Functional Group - Software - voltage to per mil - VTPM }
This function sits on top of the $RADC$ {\dc} determined above.
We look at the pre-conditions for the function $read\_4\_20\_input$ , % which we can call $RI$
to determine its {\fms}.
Its pre-condition is, {\em /* require: input from ADC to be between 0.88 and 4.4 volts */}.
We can map this violation of the pre-condition, to the {\fm} VRNGE; %As this function has one pre-condition
we can state,
$$ fm(read\_4\_20\_input) = \{ VRNGE \} .$$
We can now form a functional group with the {\dc} $RADC$ and the
software component $read\_4\_20\_input$, i.e. $G_3 = \{read\_4\_20\_input, RADC\} $.
{
\tiny
\begin{table}[h+]
\caption{$G_3$: Read\_4\_20: Failure Mode Effects Analysis} % title of Table
\label{tbl:r420i}
\begin{tabular}{|| l | c | l ||} \hline
% \textbf{Failure} & \textbf{failure} & \textbf{Symptom} \\
% \textbf{Scenario} & \textbf{effect} & \textbf{RADC } \\ \hline
\hline
\textbf{Failure} & \textbf{Failure } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
\hline
1: $RI_{VRGE}$ & voltage & $OUT\_OF\_$ \\
& outside range & $RANGE$ \\ \hline
2: $RADC_{VV_ERR}$ & voltage & $VAL\_ERR$ \\
& incorrect & \\ \hline \hline
3: $RADC_{HIGH}$ & voltage value & $VAL\_ERR$ \\
& incorrect & \\ \hline
4: $RADC_{LOW}$ & ADC may read & $OUT\_OF\_$ \\
& wrong channel & $RANGE$ \\ \hline
\hline
\hline
\end{tabular}
\end{table}
}
The failure symptoms for the {\fg} are $\{OUT\_OF\_RANGE, VAL\_ERR\}$.
The postcondition for the function $read\_4\_20\_input$, {\em /* ensure: value is proportional (0-999) to the
4 to 20mA input */} corresponds to the $VAL\_ERR$ and is already in the set of failure modes.
% \paragraph{Final Functional Group}
For single failures these are the two ways in which this function
can fail. An $OUT\_OF\_RANGE$ will be flagged by the error flag variable.
The $VAL\_ERR$ will simply mean that the value read is simply wrong.
We can finally make a {\dc} to represent a failure mode model for our function $read\_4\_20\_input$ thus:
$$ R420I = \; \derivec(G_3) .$$
This new {\dc} has the following {\fms}:
$$fm(R420I) = \{OUT\_OF\_RANGE, VAL\_ERR\} .$$
%
% Using the derived components, CMATV and VTPM we create
% a new functional group. This
% integrates FMEA's from software and eletronics
% into the same failure mode model.
We can now represent the software/hardware FMMD analysis
as a hierarchical diagram, see figure~\ref{fig:hd}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{./CH5_Examples/hd.png}
% hd.png: 363x520 pixel, 72dpi, 12.81x18.34 cm, bb=0 0 363 520
\caption{FMMD hierarchy with hardware and software elements}
\label{fig:hd}
\end{figure}
We can represent the hierarchy in figure~\ref{fig:hd} algebraically, using the `$\derivec$' function
using the groups as intermediate stages:
\begin{eqnarray*}
G_1 &=& \{R,ADC\} \\
CMATV &=& \;\derivec (G_1) \\
G_2 &=& \{CMATV, read\_ADC \} \\
RADC &=& \; \derivec (G_2) \\
G_3 &=& \{ RADC, read\_4\_20\_input \} \\
R420I &=& \; \derivec (G_3) \\
\end{eqnarray*}
or, a nested definition,
$$ \derivec \Big( \derivec \big( \derivec(R,ADC), read\_4\_20\_input \big), read\_4\_20\_input \Big). $$
This nested structure means that we have multiple traceable
stages of failure mode reasoning in our analysis. Traditional FMEA would have only one stage
of reasoning for each component failure mode.
%\clearpage
\subsection{Conclusion: Software/Hardware FMMD Model}
The {\dc} representing the {\ft} reader
in software shows that by FMMD, we can integrate
software and electro-mechanical FMMD models.
With this analysis
we have a complete `reasoning~path' linking the failures modes from the
electronics to those in the software.
Each functional group to {\dc} transition represents a
reasoning stage.
%
Each reasoning stage will have an associated analysis report.
%
With traditional FMEA methods the reasoning~distance is large, because
it stretches from the component failure mode to the top---or---system level failure.
For this reason applying traditional FMEA to software stretches
the reasoning distance even further. This is exacerbated by the fact that traditional SFMEA is
performed separately from HFMEA~\cite{sfmea,sfmeaa}, additionally even the software/hardware
interfacing is treated as a seperate FMEA task~\cite{sfmeainterface,embedsfmea,procsfmea}
We now have a {\dc} for a {\ft} input in software.
Typically, more than one such input could be present in a real-world system.
Not only have we integrated electronics and software in an FMEA, we can also
re-use the analysis for each {\ft} input in the system.
The unsolved symptoms, or unobservable errors, i.e. $VAL\_ERR$ could be addressed
by another software function to read other known signals
via the MUX (i.e. voltage references). This strategy would
detect ADC\_STUCK\_AT and MUX\_FAIL failure modes.
A software specification for a hardware interface will concentrate on
how to interpret raw readings, or what signals to apply for actuators.
Using FMMD we can determine an accurate failure model for the interface as well~\cite{sfmeainterface}.
%
%Detailing this however, is beyond the scope %and page-count
%of this paper.
%Its solved. Hoooo-ray !!!!!!!!!!!!!!!!!!!!!!!!
\vspace{20pt}
%typeset in {\Huge \LaTeX} \today
Reference in New Issue View Git Blame Copy Permalink