robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5af377a61b
Robin_PHD/submission_thesis/CH5_Examples/copy.tex
Your Name 7671005fe3 OK starting to get the new thesis structure 
actually producting pdf files.

In each chapter directory, copy.tex
is the source file for the chapter.
A makefile should exist in each of these
directories, and this when supplied the arg copy
will make all images form dia/gnuplot etc
2012-03-20 19:07:09 +00:00

2201 lines
95 KiB
TeX
Raw Blame History

\clearpage \pagenumbering{arabic}
\section{Basic Concepts Of FMMD}
The idea behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
Traditional FMEA takes part failure modes and then determines what effect each of these
failure modes could have on the system under investigation.
It is worth defining clearly the term part here.
Geoffry Hall writing in space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''.
In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'.
Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
Traditional FMEA, by looking at `part' level failure modes
involves what we could term a large `reasoning~distance'; that is to say
in a complex system, taking a particular failure mode, of a particular part
and then trying to predict the outcome in the context of an entire system, is
a leap~of~faith. There will be numerous possibilities of effects and side effects on
other components in the system; more than is practically possible to rigorously examine.
To simply trace a simple route from a particular part failure mode to a top level system error/symptom
oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
Fortunately most real-world designs take a modular approach. In Electronics
for instance, commonly used configurations of parts are used to create
amplifiers, filters, potential dividers etc.
%It is therefore natural to collect parts to form functional groups.
It is common design practise in electronics, to use collections of parts in specific configurations
to form well-defined and well-known building blocks.
These commonly used configurations of parts, or {\fgs}, will
also have a specific failure mode behaviour.
We can take a {\fg} and determine its symptoms of failure.
When we have done this we can treat this as a component in its own right.
If we terms `parts' as base~components and components we have determined
from functional groups as derived components, we can modularise FMEA.
If we start building {\fgs} from derived components we can start to build a modular
hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
\paragraph {Definitions}
\begin{itemize}
\item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
\item {\fm} - failure mode - the ways in which a component can fail
\item {\fg} - a collection of components chosen to perform a particular task
\item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
\item {\dc} - a new component derived from an analysed {\fg}
\end{itemize}
\subsection{Determining the failure modes of components}
In order to apply any form of Failure Mode Effects Analysis (FMEA) we need to know the ways in which the components we are using can fail.
Typically when choosing components for a design, we look at manufacturers data sheets,
which describe the range and tolerances, and can indicate how a component may fail/behave
under certain conditions or environments.
How base components could fail internally, its not of interest to an FMEA investigation.
The FMEA investigator needs to know what failure behaviour a component may exhibit, or in other words, its
modes of failure.
A large body of literature exists which gives guidance for determining component {\fms}.
%
For this study FMD-91~\cite{fmd91} and the gas burner standard EN298~\cite{en298} are examined.
%Some standards prescribe specific failure modes for generic component types.
In EN298 failure modes for generic component types are prescribed, or
determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
are examined.
%
FMD-91 is a reference document released into the public domain by the United States DOD
and describes `failures' of common electronic components, with percentage statistics for each failure.
FMD-91 entries include general descriptions of internal failures alongside {\fms} of use to an FMEA investigation.
FMD-91 entries need, in some cases, some interpretation to be mapped to a clear set of
component {\fms} suitable for use in FMEA.
% One is from the US military document FMD-91, where internal failures
% of components are described (with stats).
%
% The other is EN298 where the failure modes for generic component types are prescribed, or
% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% is applied. These techniques
%
% The FMD-91 entries need, in some cases, some interpretation to be mapped to
% component failure symptoms, but include failure modes that can be due to internal failures.
% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
%
% Could I come in and see you Chris to quickly discuss these.
%
% I hope to have chapter 5 finished by the end of March, chapter 5 being the
% electronics examples for the FMMD methodology.
In this section we look in detail at two common electrical components and examine how
the two sources of information define their failure mode behaviour.
We look at the reasons why some known failure modes % are omitted, or presented in
%specific but unintuitive ways.
%We compare the US. military published failure mode specifications wi
can be found in one source but not in the other and vice versa.
Finally we compare and contrast the failure modes determined for these components
from the FMD-91 reference source and from the guidelines of the
European burner standard EN298.
\subsection{Failure mode determination for generic resistor}
%- Failure modes. Prescribed failure modes EN298 - FMD91
\subsubsection{Resistor failure modes according to FMD-91}
The resistor is a ubiquitous component in electronics, and is therefore a prime
example for examining its failure modes.
FMD-91\cite{fmd91}[3-178] lists many types of resistor
and lists many possible failure causes.
For instance for {\textbf{Resistor,~Fixed,~Film}} we are given the following failure causes:
\begin{itemize}
\item Opened 52\%
\item Drift 31.8\%
\item Film Imperfections 5.1\%
\item Substrate defects 5.1\%
\item Shorted 3.9\%
\item Lead damage 1.9\%
\end{itemize}
This information may be of interest to the manufacturer of resistors, but it does not directly
help a circuit designer.
The circuit designer is not interested in the causes of resistor failure, but to build in contingency
against {\fms} that the resistor could exhibit.
We can determine these {\fms} by converting the internal failure descriptions
to {\fms} thus:
%and map these failure causes to three symptoms,
%drift (resistance value changing), open and short.
\begin{itemize}
\item Opened 52\% $\mapsto$ OPENED
\item Drift 31.8\% $\mapsto$ DRIFT
\item Film Imperfections 5.1\% $\mapsto$ OPEN
\item Substrate defects 5.1\% $\mapsto$ OPEN
\item Shorted 3.9\% $\mapsto$ SHORT
\item Lead damage 1.9\% $\mapsto$ OPEN.
\end{itemize}
The main causes of drift are overloading of components.
This is borne out in entry for a resistor network where the failure
modes do not include drift.
If we can ensure that our resistors will not be exposed to overload conditions, drift or parameter change
can be reasonably excluded.
\subsubsection{Resistor failure modes according to EN298}
EN298, the European gas burner safety standard, tends to be give failure modes more directly usable by FMEA than FMD-91.
EN298 requires that a full FMEA be undertaken, examining all failure modes
of all components~\cite{en298}[11.2 5] as part of the certification process.
%
Annex A of EN298, prescribes failure modes for common components
and guidance on determining sets of failure modes for complex components (i.e. integrated circuits).
EN298~\cite{en298}[Annex A] (for most types of resistor)
only requires that the failure mode OPEN be considered in FMEA analysis.
%
For resistor types not specifically listed in EN298, the failure modes
are considered to be either OPEN or SHORT.
The reason that parameter change is not considered for resistors chosen for an EN298 compliant system; is that they must be must be {\em downrated},
that is to say the power and voltage ratings of components must be calculated
for maximum possible exposure, with a 40\% margin of error. This ensures the resistors will not be overloaded.
% XXXXXX get ref from colin T
%If a resistor was rated for instance for
%These are useful for resistor manufacturersthey have three failure modes
%EN298
%Parameter change not considered for EN298 because the resistors are down-rated from
%maximum possible voltage exposure -- find refs.
% FMD-91 gives the following percentages for failure rates in
% \label{downrate}
% The parameter change, is usually a failure mode associated with over stressing the component.
%In a system designed to typical safety critical constraints (as in EN298)
%these environmentally induced failure modes need not be considered.
For this study we will take the conservative view from EN298, and consider the failure
modes for a generic resistor to be both OPEN and SHORT.
i.e.
$$ fm(R) = \{ OPEN, SHORT \} . $$
\subsection{Failure modes determination for generic operational amplifier}
\begin{figure}[h+]
\centering
\includegraphics[width=200pt]{CH5_Examples/lm258pinout.jpg}
% lm258pinout.jpg: 478x348 pixel, 96dpi, 12.65x9.21 cm, bb=0 0 359 261
\caption{Pinout for an LM358 dual OP-AMP}
\label{fig:lm258}
\end{figure}
The operational amplifier (op-amp) is a differential amplifier and is very widely used in nearly all fields of modern electronics.
They are typically packaged in dual or quad configurations---meaning
that a chip will typically contain two or four amplifiers.
For the purpose of example, we look at
a typical op-amp designed for instrumentation and measurement, the dual packaged version of the LM358~\cite{lm358}
(see figure~\ref{fig:lm258}), and use this to compare the failure mode derivations from FMD-91 and EN298.
\subsubsection{ Failure Modes of an OP-AMP according to FMD-91 }
%Literature suggests, latch up, latch down and oscillation.
For OP-AMP failures modes, FMD-91\cite{fmd91}{3-116] states,
\begin{itemize}
\item Degraded Output 50\% Low Slew rate - poor die attach
\item No Operation - overstress 31.3\% \item Shorted $V_+$ to $V_-$, overstress, resistive short in amplifier\%
\item Opened $V_+$ open\%
\end{itemize}
Again these are mostly internal causes of failure, more of interest to the component manufacturer
than a designer looking for the symptoms of failure.
We need to translate these failure causes within the OP-AMP into {\fms}.
We can look at each failure cause in turn, and map it to potential {\fms}.
\paragraph{OP-AMP failure cause: Poor Die attach}
The symptom for this is given as a low slew rate. This means that the op-amp
will not react quickly to changes on its input terminals.
This is a failure symptom that may not be of concern in a slow responding system like an
instrumentation amplifier. However, where higher frequencies are being processed
a signal may be lost.
We can map this failure cause to a {\fm}, and we can call it $LOW_{slew}$.
\paragraph{No Operation - over stress}
Here the OP\_AMP has been damaged, and the output may be held HIGH LOW, or may be effectively tri-stated
, i.e. not able to drive circuitry in along the next stages of the signal path: we can call this state NOOP (no Operation).
%
We can map this failure cause to three symptoms, $LOW$, $HIGH$, $NOOP$.
\paragraph{Shorted $V_+$ to $V_-$}
Due to the high intrinsic gain of an op-amp, and the effect of offset currents
this will force the output HIGH or LOW.
We map this failure cause to $HIGH$ or $LOW$.
\paragraph{Open $V_+$}
This failure cause will mean that the minus input will have the very high gain
of the OP-AMP applied to it, and the output will be forced HIGH or LOW.
We map this failure cause to $HIGH$ or $LOW$.
\paragraph{Collecting OP-AMP failure modes from FMD-91}
We can define an OP-AMP, under FMD-91 definitions to have the following {\fms}.
$$fm(OP-AMP) = \{ HIGH, LOW, NOOP, LOW_{slew} \} $$
\subsubsection{Failure Modes of an OP-AMP according to EN298}
EN298 does not specifically define OP\_AMPS failure modes; these can be determined
by following a procedure for `integrated~circuits' outlined in
annex~A~\cite{en298}[A.1 note e].
This demands that all open connections, and shorts between adjacent pins be considered as failure scenarios.
We examine these failure scenarios on the dual packaged $LM358$ %\mu741$
and determine its {\fms}.
\paragraph{EN298: Open and shorted pin failure symptom determination technique}
\begin{table}[h+]
\caption{LM358: EN298 Single failure symptom extraction}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Amplifier Effect} & & \textbf{Symptom(s)} \\
\hline
& & & & \\ \hline
FS1: PIN 1 OPEN & & A output open & & $NOOP_A$ \\ \hline
FS2: PIN 2 OPEN & & A-input disconnected, & & \\
& & infinite gain on A+input & & $LOW_A$ or $HIGH_A$ \\ \hline
FS3: PIN 3 OPEN & & A+input disconnected, & & \\
& & infinite gain on A-input & & $LOW_A$ or $HIGH_A$ \\ \hline
FS4: PIN 4 OPEN & & power to chip (ground) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
FS5: PIN 5 OPEN & & B+input disconnected, & & \\
& & infinite gain on B-input & & $LOW_B$ or $HIGH_B$ \\ \hline
FS6: PIN 6 OPEN & & B-input disconnected, & & \\
FS6: PIN 6 OPEN & & infinite gain on B+input & & $LOW_B$ or $HIGH_B$ \\ \hline
FS7: PIN 7 OPEN & & B output open & & $NOOP_B$ \\ \hline
FS8: PIN 8 OPEN & & power to chip & & \\
FS8: PIN 8 OPEN & & (Vcc) disconnected & & $NOOP_A$ and $NOOP_B$ \\ \hline
& & & & \\
& & & & \\
& & & & \\ \hline
FS9: PIN 1 $\stackrel{short}{\longrightarrow}$ PIN 2 & & A -ve 100\% Feed back, low gain & & $LOW_A$ \\ \hline
FS10: PIN 2 $\stackrel{short}{\longrightarrow}$ PIN 3 & & A inputs shorted, & & \\
& & output controlled by internal offset & & $LOW_A$ or $HIGH_A$ \\ \hline
FS11: PIN 3 $\stackrel{short}{\longrightarrow}$ PIN 4 & & A + input held to ground & & $LOW_A$ \\ \hline
FS12: PIN 5 $\stackrel{short}{\longrightarrow}$ PIN 6 & & B inputs shorted, & & \\
& & output controlled by internal offset & & $LOW_B$ or $HIGH_B$ \\ \hline
FS13: PIN 6 $\stackrel{short}{\longrightarrow}$ PIN 7 & & B -ve 100\% Feed back, low gain & & $LOW_B$ \\ \hline
FS14: PIN 7 $\stackrel{short}{\longrightarrow}$ PIN 8 & & B output held high & & $HIGH_B$ \\ \hline
\hline
\end{tabular}
\label{tbl:pd}
\end{table}
\clearpage
\subsection{Comparing the component failure mode sources}
EN298 pinouts failure mode technique.
For our OP-AMP example could have come up with different symptoms for both sides. Cannot predict the effect of internal errors, for instance ($LOW_{slew}$)
is missing from the EN298 failure modes set.
% FMD-91
%
% I have been working on two examples of determining failure modes of components.
% One is from the US military document FMD-91, where internal failures
% of components are described (with stats).
%
% The other is EN298 where the failure modes for generic component types are prescribed, or
% determined by a procedure where failure scenarios of all pins OPEN and all adjacent pins shorted
% is applied. These techniques
%
% The FMD-91 entries need, in some cases, some interpretation to be mapped to
% component failure symptoms, but include failure modes that can be due to internal failures.
% The EN298 SHORT/OPEN procedure cannot determine failures due to internal causes but can be applied to any IC.
%
% Could I come in and see you Chris to quickly discuss these.
%
% I hope to have chapter 5 finished by the end of March, chapter 5 being the
% electronics examples for the FMMD methodology.
\clearpage
%%
%% Paragraph using failure modes to build from bottom up
%%
\paragraph{ Creating a fault hierarchy.}
The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc}
level up to the top, or system level, with analysis stages between each
transition to a higher level in the hierarchy.
The first stage is to choose
{\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components.
%These parts all have associated fault modes. A module is a set fault~modes.
From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail.
A {\fg} is a collection of components that perform some simple task or function.
%
In order to determine how a {\fg} can fail,
we need to consider all failure modes of its components.
%
By analysing the fault behavior of a `{\fg}' with respect to all its components failure modes,
we can determine its symptoms of failure.
%In fact we can call these
%the symptoms of failure for the {\fg}.
With these symptoms (a set of derived faults from the perspective of the {\fg})
we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways.
%
In other words we have taken a {\fg}, and analysed how
\textbf{it} can fail according to the failure modes of its components, and then
determined the {\fg} failure modes.
\paragraph{Creating a derived component.}
We create a new `{\dc}' which has
the failure symptoms of the {\fg} from which it was derived, as its set of failure modes.
This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}.
%
\paragraph{An example of a {\dc}.}
To give an example of this, we could look at the components that
form, say an amplifier. We look at how all the components within it
could fail and how that would affect the amplifier.
%
The ways in which the amplifier can be affected are its symptoms.
%
When we have determined the symptoms, we can
create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
We can now treat $AMP1$ as a pre-analysed, higher level component.
The amplifier is an abstract concept, in terms of the components.
To a make an `amplifier' we have to connect a a group of components
in a specific configuration. This specific configuration corresponds to
a {\fg}. Our use of it as a building block corresponds to a {\dc}.
%What this means is the `fault~symptoms' of the module have been derived.
%
%When we have determined the fault~modes at the module level these can become a set of derived faults.
%By taking sets of derived faults (module level faults) we can combine these to form modules
%at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
%to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
%as parts, parts which may now be combined to create new functional groups,
%but as parts at a higher level of fault abstraction.
\paragraph{Building the Hierarchy.}
Applying the same process with {\dcs} we can bring {\dcs}
together to form functional groups and create new {\dcs}
at even higher abstraction levels. Eventually we will have a hierarchy
that converges to one top level {\dc}. At this stage we have a complete failure
mode model of the system under investigation.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
\caption{FMMD Hierarchy showing ascending abstraction levels}
\label{fig:treeabslev}
\end{figure}
Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
is shown as a `$\bowtie$' symbol.
\subsection{An algebraic notation for identifying FMMD enitities}
Consider all `components' to exist as
members of a set $\mathcal{C}$.
%
Each component $c$ has an associated set of failure modes.
We can define a function $fm$ that returns a
set of failure modes $F$, for the component $c$.
Let the set of all possible components be $\mathcal{C}$
and let the set of all possible failure modes be $\mathcal{F}$.
We now define the function $fm$
as
\begin{equation}
\label{eqn:fm}
fm : \mathcal{C} \rightarrow \mathcal{P}\mathcal{F}.
\end{equation}
This is defined by, where $c$ is a component and $F$ is a set of failure modes,
$ fm ( c ) = F. $
We can use the variable name $\FG$ to represent a {\fg}. A {\fg} is a collection
of components.
%We thus define $FG$ as a set of chosen components defining
%a {\fg}; all functional groups
We can state that
{\FG} is a member of the power set of all components, $ \FG \in \mathcal{P} \mathcal{C}. $
We can overload the $fm$ function for a functional group {\FG}
where it will return all the failure modes of the components in {\FG}
given by
$$ fm ({\FG}) = F. $$
Generally, where $\mathcal{{\FG}}$ is the set of all functional groups,
\begin{equation}
fm : \mathcal{{\FG}} \rightarrow \mathcal{P}\mathcal{F}.
\end{equation}
%$$ \mathcal{fm}(C) \rightarrow S $$
%$$ {fm}(C) \rightarrow S $$
\paragraph{Abstraction Levels of {\fgs} and {\dcs}}
\label{sec:indexsub}
We can indicate the abstraction level of a component by using a superscript.
Thus for the component $c$, where it is a `base component' we can assign it
the abstraction level zero, $c^0$. Should we wish to index the components
(for example as in a product parts-list) we can use a sub-script.
Our base component (if first in the parts-list) could now be uniquely identified as
$c^0_1$.
We can further define the abstraction level of a {\fg}.
We can say that it is the maximum abstraction level of any of its
components. Thus a functional group containing only base components
would have an abstraction level zero and could be represented with a superscript of zero thus
`${\FG}^0$'. % The functional group set may also be indexed.
We can apply symptom abstraction to a {\fg} to find
its symptoms.
%We are interested in the failure modes
%of all the components in the {\fg}. An analysis process
We define the symptom abstraction process with the symbol `$\bowtie$'.% is applied to the {\fg}.
%
The $\bowtie$ function takes a {\fg}
as an argument and returns a newly created {\dc}.
%
%The $\bowtie$ analysis, a symptom extraction process, is described in chapter \ref{chap:sympex}.
The symptom abstraction process must always raise the abstraction level
for the newly created {\dc}.
Using $\abslevel$ to symbolise the fault abstraction level, we can now state:
$$ \bowtie({\FG}^{\abslevel}) \rightarrow c^{{\abslevel}+N} | N \ge 1. $$
\paragraph{Functional Groups may be indexed}
We will typically have more than one {\fg} on each level of FMMD hierarchy ( expect the top level where there will only be one)
we could index the {\fgs} with a sub-script, and can then uniquely identify them using their level and their index.
For example ${\FG}^{3}_{2}$ would be the second {\fg} at the third level of abstraction in an FMMD hierarchy.
\paragraph{The symptom abstraction process in outline.}
The $\bowtie$ function processes each component in the {\fg} and
extracts all the component failure modes.
With all the failure modes, an analyst can
determine how each failure mode will affect the {\fg}, and then collect common symptoms.
A new {\dc} is created
where its failure modes, are the symptoms from {\fg}.
Note that the component must have a higher abstraction level than the {\fg}
it was derived from.
\paragraph{Surjective constraint applied to symptom collection.}
We can stipulate that symptom collection process is surjective.
% i.e. $ \forall f in F $
By stipulating surjection for symptom collection, we ensure
that each component failure mode maps to at least one symptom.
We also ensure that all symptoms have at least one component failure
mode (i.e. one or more failure modes that caused it).
%
\subsection{FMMD Hierarchy}
By applying stages of analysis to higher and higher abstraction
levels, we can converge to a complete failure mode model of the system under analysis.
Because the symptom abstraction process is defined as surjective (from component failure modes to symptoms)
the number of symptoms is guaranteed to be less than or equal to
the number of component failure modes.
In practise however, the number of symptoms greatly reduces as we traverse
up the hierarchy.
This is a natural process. When we have complicated systems
they always have a small number of system failure modes in comparison to
the number of failure modes in its sub-systems/components..
\section{Examples of Derived Component like concepts in safety literature}
Idea stage on this section, integrated circuits and some compond parts (like digital resistors)
are treated like base components. i.e. this sets a precedent for {\dcs}.
\begin{itemize}
\item Look at OPAMP circuits, pick one (say $\mu$741)
\item Digital transistor perhaps, inside two resistors and a transistor.
\item outline a proposed FMMD analysis
\item Show FMD-91 OPAMP failure modes -- compare with FMMD
\end{itemize}
The gas burner standard (EN298~\cite{en298}), only considers OPEN and SHORT for resistors
(and for some types of resistors OPEN only).
FMD-91~\cite{fmd91}(the US military failure modes guide) also includes `parameter change' in its description of resistor failure modes.
Now a resistor will generally only suffer parameter change when over stressed.
EN298 stipulates down rating by 60\% to maximum stress
possible in a circuit. So even if you have a resistor that preliminary tells you would
never be subjected to say more than 5V, but there is say, a 24V rail
on the circuit, you have to choose resistors able to cope with the 24V
stress/load and then down rate by 60\%. That is to say the resitor should be rated for a maximum
voltage of $ > 38.4V$ and should be rated 60\% higher for its power consumption at $38.4V$.
Because of down-rating, it is reasonable to not have to consider parameter change under EN298 approvals.
\clearpage
Two areas that cannot be automated. Choosing {\fgs} and the analysis/symptom collection process itself.
\subsection{{\fgs} Sharing components and Hierarchy}
With electronics we need to follow the signal path to make sense of failure modes
effects on other parts of the circuit further down that path.
%{\fgs} will naturally have to be in the position of starter
A power-supply is naturally first in a signal path (or failure reasoning path).
That is to say, if the power-supply is faulty, its failure modes are likely to affect
the {\fgs} that have to use it.
This means that most electronic components should be placed higher in an FMMD
hierarchy than the power-supply.
A shorted de-coupling capactitor caused a `symptom' of the power-supply,
and an open de-coupling capactitor should be considered a `failure~mode' relevant to the logic chip.
% to consider.
If components can be shared between functional groups, this means that components
must be shareable between {\fgs} at different levels in the FMMD hierarchy.
This hierarchy and an optionally shared de-coupling capacitor (with line highlighted in red and dashed) are shown
in figure~\ref{fig:shared_component}.
\begin{figure}
\centering
\includegraphics[width=250pt,keepaspectratio=true]{CH5_Examples/shared_component.png}
% shared_component.png: 729x670 pixel, 72dpi, 25.72x23.64 cm, bb=0 0 729 670
\caption{Optionally shared Component}
\label{fig:shared_component}
\end{figure}
\subsection{Hierarchy and structure}
By having this structure, the logic circuit element, can accept failure modes from the
power-supply (for instance these might, for the sake of example include: $NO\_POWER$, $LOW\_VOLTAGE$, $HIGH\_VOLTAGE$, $NOISE\_HF$, $NOISE\_LF$.
Our logic circuit may be able to cope with $LOW\_VOLTAGE$ and $NOISE\_LF$, but react with a serious symptom to $NOISE\_HF$ say.
But in order to process these failure modes it must be at a higher stage in the FMMD hierarchy.
\pagebreak[4]
\section{Defining the concept of `comparison~complexity' in FMEA}
%
% DOMAIN == INPUTS
% RANGE == OUTPUTS
%
When performing FMEA we have a system under investigation, which will
comprise of a collection of components which have associated failure modes.
The object of FMEA is to determine cause and effect:
from the failure modes (the causes) to the effects (or symptoms of failure).
%
To perform FMEA rigorously
we could stipulate that every failure mode must be checked for effects
against all the components in the system.
We could term this `rigorous~FMEA'~(RFMEA).
The number of checks we have to make to achieve this gives an indication of the complexity of the task.
%
We could term this `comparison~complexity', as it is the number of
paths between failure modes and components, necessary to achieve RFMEA, for a given system/functional~group.
% (except its self of course, that component is already considered to be in a failed state!).
%
Obviously, for a small number of components and failure modes we have a smaller number
of checks to make than for a complicated larger system.
%
We can consider the system as a large {\fg} of components.
We represent the number of components in the {\fg} $G$, by
$ | G | $
(an indexing and sub-scripting notation to identify particular {\fgs}
within an FMMD hierarchy is given in section~\ref{sec:indexsub}).
The function $fm$ has a component as its domain and the components failure modes as its range (see equation~\ref{eqn:fm}).
We can represent the number of potential failure modes of a component $c$, to be $ | fm(c) | .$
If we index all the components in the system under investigation $ c_1, c_2 \ldots c_{|\FG|} $ we can express
the number of checks required to rigorously examine every
failure mode against all the other components in the system.
We can define this as a function, Comparison Complexity, $CC$, with its domain as the system
or {\fg}, $\FG$, and
its range as the number of checks to perform to satisfy a rigorous FMEA inspection.
Where $\mathcal{\FG}$ represents the set of all {\fgs}, and $ \mathbb{N} $ any natural integer, $CC$ is defined by,
\begin{equation}
%$$
CC:\mathcal{\FG} \rightarrow \mathbb{N},
%$$
\end{equation}
and, where n is the number of components in the system/{\fg}, $|fm(c_i)|$ is the number of failure modes
in component ${c_i}$, is given by
\begin{equation}
\label{eqn:CC}
%$$
%%% when it was called reasoning distance -- 19NOV2011 -- RD(fg) = \sum_{n=1}^{|fg|} |fm(c_n)|.(|fg|-1)
CC(\FG) = (n-1) \sum_{1 \le i \le n} fm(c_i).
%$$
\end{equation}
This can be simplified if we can determine the total number of failure modes in the system $K$, (i.e. $ K = \sum_{n=1}^{|G|} {|fm(c_n)|}$);
equation~\ref{eqn:CC} becomes
%$$
\begin{equation}
\label{eqn:rd2}
CC(\FG) = K.(|\FG|-1).
\end{equation}
%$$
%Equation~\ref{eqn:rd} can also be expressed as
%
% \begin{equation}
% \label{eqn:rd2}
% %$$
% CC(G) = {|G|}.{|fm(c_n)|}.{(|fg|-1)} .
% %$$
% \end{equation}
\subsection{A general formula for counting Comparison Complexity in an FMMD hierarchy}
An FMMD Hierarchy will have reducing numbers of functional groups as we progress up the hierarchy.
In order to calculate its comparison~complexity we need to apply equation~\ref{eqn:CC} to
all {\fgs} on each level.
We define a helper function $g$ with a domain of the level $i$ in an FMMD hierarchy $H$, and a co-domain of a set of {\fgs} (specifically all the {\fgs} on the given level),
defined by
\begin{equation}
%$$
g(H, i) \rightarrow \forall {\FG}^{\xi} \;where\; ({\xi} = {i}) \wedge ({\FG}^{\xi} \in H) .
%$$
\end{equation}
Where $L$ represents the number of levels in the FMMD hierarchy,
$|g(\xi)|$ represents the number of functional groups on the level
and $H$ represents an FMMD hierarchy,
we overload the comparison complexity thus:
%$$
\begin{equation}
\label{eqn:gf}
CC(H) = \sum_{\xi=0}^{L} \sum_{j=1}^{|g(H,\xi)|} CC({\FG}_{j}^{\xi}).
%$$
\end{equation}
\pagebreak[4]
\subsection{Complexity Comparison Examples}
The potential divider discussed in section~\ref{potdivfmmd} has four failure modes and two components and therefore has $CC$ of 4.
$$CC(potdiv) = \sum_{n=1}^{2} |2|.(|1|) = 4 $$
Even considering a $fictitious$ system with just 81 components (with these components
having 3 failure modes each) we would have an $CC$ of
$$CC(fictitious) = \sum_{n=1}^{81} |3|.(|80|) = 19440 .$$
Ensuring all component failure modes are checked against all other components in a system
-- applying FMEA rigorously -- could be termed
Rigorous FMEA (RFMEA).
The computational order for RFMEA would be polynomial ($O(N^2.K)$) (where $K$ is the variable number of failure modes).
This order may be acceptable in a computational environment: However, the choosing of {\fgs} and the analysis
process are by-hand/human activities. It can be seen that it is practically impossible to achieve
RFMEA for anything but trivial systems.
%
% Next statement needs alot of justification
%
It is the authors belief that FMMD reduces the comparison complexity enough to make
rigorous checking feasible.
\pagebreak[4]
%\subsection{Using the concept of Complexity Comparison to compare RFMEA with FMMD}
\begin{figure}
\centering
\includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/three_tree.png}
% three_tree.png: 851x385 pixel, 72dpi, 30.02x13.58 cm, bb=0 0 851 385
\caption{FMMD Hierarchy with number of components in {\fg} fixed to 3 $(|G| = 3)$ } % \wedge (|fm(c)| = 3)$}
\label{fig:three_tree}
\end{figure}
\subsection{Comparing FMMD and RFMEA comparison complexity}
Because components have variable numbers of failure modes,
and {\fgs} have variable numbers of components it is difficult to
use the general formula for comparing the number of checks to make for
RFMEA and FMMD.
If we were to create an example by fixing the number of components in a {\fg}
and the number of failure modes per component, we can derive formulae
to compare the number of checks to make from an FMMD hierarchy to RFMEA applied to
all components in a system.
Consider $k$ to be the number of components in a {\fg} (i.e. $k=|{\FG}|$),
$f$ is the number of failure modes per component (i.e. $f=|fm(c)|$), and
$L$ to be the number of levels in the hierarchy of an FMMD analysis.
We can represent the number of failure scenarios to check in a (fixed parameter for $|{\FG}|$ and $|fm(c_i)|$) FMMD hierarchy
with equation~\ref{eqn:anscen}.
\begin{equation}
\label{eqn:anscen}
\sum_{n=0}^{L} {k}^{n}.k.f.(k-1)
\end{equation}
The thinking behind equation~\ref{eqn:anscen}, is that for each level of analysis -- counting down from the top --
there are ${k}^{n}$ {\fgs} within each level; we need to apply RFMEA to each {\fg} on the level.
The number of checks to make for RFMEA is number of components $k$ multiplied by the number of failure modes $f$
checked against the remaining components in the {\fg} $(k-1)$.
If, for the sake of example we fix the number of components in a {\fg} to three and
the number of failure modes per component to three, an FMMD hierarchy
would look like figure~\ref{fig:three_tree}.
\subsection{Worked Example}
Using the diagram in figure~\ref{fig:three_tree}, we have three levels of analysis.
Starting at the top, we have a {\fg} with three derived components, each of which has
three failure modes.
Thus the number of checks to make in the top level is $3^0.3.2.3=18$.
On the level below that, we have three {\fgs} each with a
an identical number of checks, $3^1.3.2.3=56$.%{\fg}
On the level below that we have nine {\fgs}, $3^2.3.2.3=168$.
Adding these together gives $242$ checks to make to perform FMMD (i.e. RFMEA {\em{within the}}
{\fgs}).
If we were to take the system represented in figure~\ref{fig:three_tree}, and
apply RFMEA on it as a whole system, we can use equation~\ref{eqn:CC},
$CC(G) = \sum_{n=1}^{|G|} |fm(c_n)|.(|G|-1)$, where $|G|$ is 27, $fm(c_n)$ is 3
and $(|G|-1)$ is 26.
This gives:
$CC(G) = \sum_{n=1}^{27} |3|.(|27|-1) = 2106$.
In order to get general equations with which to compare RFMEA with FMMD
we can re-write equation~\ref{eqn:CC} in terms of the number of levels
in an FMMD hierarchy.
%
The number of components in the system, is number of components
in a {\fg} raised to the power of the level plus one.
Thus we re-write equation~\ref{eqn:CC} as:
\begin{equation}
\label{eqn:fmea_state_exp21}
\sum_{n=1}^{k^{L+1}}.(k^{L+1}-1).f \; , % \\
%(N^2 - N).f
\end{equation}
or
\begin{equation}
\label{eqn:fmea_state_exp22}
k^{L+1}.(k^{L+1}-1).f \;. % \\
%(N^2 - N).f
\end{equation}
We can now use equation~\ref{eqn:anscen} and \ref{eqn:fmea_state_exp22} to compare (for fixed sizes of $|G|$ and $|fm(c)|$)
the two approaches, for the work required to perform rigorous checking.
For instance, having four levels
of FMMD analysis, with these fixed numbers,
%(in addition to the top zeroth level)
will require 81 base level components.
$$
%\begin{equation}
\label{eqn:fmea_state_exp22}
3^4.(3^4-1).3 = 81.(81-1).3 = 19440 % \\
%(N^2 - N).f
%\end{equation}
$$
$$
%\begin{equation}
% \label{eqn:anscen}
\sum_{n=0}^{3} {3}^{n}.3.3.(2) = 720
%\end{equation}
$$
% \subsection{Exponential squared to Exponential}
%
% can I say that ?
\section{Problems in choosing membership of functional groups}
\subsection{Side Effects: A Problem for FMMD analysis}
A problem with modularising according to functionality is that we can have component failures that would
intuitively be associated with one {\fg} that may cause unintended side effects in other
{\fgs}.
For instance were we to have a component that on failing $SHORT$ could bring down
a voltage supply rail, this could have drastic consequences for other
functional groups in the system we are examining.
\pagebreak[3]
\subsubsection{Example de-coupling capacitors in logic circuits}
A good example of this, are de-coupling capacitors, often used
over the power supply pins of all chips in a digital logic circuit.
Were any of these capacitors to fail $SHORT$ they could bring down
the supply voltage to the other logic chips.
To a power-supply, shorted capacitors on the supply rails
are a potential source of the symptom, $SUPPLY\_SHORT$.
In a logic chip/digital circuit {\fg} open capacitors are a potential
source of symptoms caused by the failure mode $INTERFERENCE$.
So we have a `symptom' of the power-supply, and a `failure~mode' of
the logic chip to consider.
A possible solution to this is to include the de-coupling capacitors
in the power-supply {\fg}.
% decision, could they be included in both places ????
% I think so
Because the capacitor has two potential failure modes (EN298)
this raises another issue for FMMD. A de-coupling capacitor going $OPEN$ might not be considered relevant to
a power-supply module (but there might be additional noise on its output rails).
But in {\fg} terms the power supply, now has a new symptom that of $INTERFERENCE$.
Some logic chips are more susceptible to $INTERFERENCE$ than others.
A logic chip with de-coupling capacitor failing, may operate correctly
but interfere with other chips in the circuit.
There is no reason why the de-coupling capacitors could not be included {\em in the {\fg} they would intuitively be associated with as well}.
This allows for the general principle of a component failure affecting more than one {\fg} in a circuit.
This allows functional groups to share components where necessary.
This does not break the modularity of the FMMD technique, because, as {\irl}
one component failure may affect more than one sub-system.
It does uncover a weakness in the FMMD methodology though.
It could be very easy to miss the side effect and include
the component causing the side effect into the wrong {\fg}, or only one germane {\fg}.
\section{Double Simultaneous Failures}
The probability for independent double simultaneous component failures (because we would multiply the probabilities of failure) is very low.
However, some critical systems have to consider these type of eventualities.
The burner control industry has to consider double failures, as specified in European Norm
EN298~\cite{en298}. EN298 does not specifically state that
double simultaneous failures must be considered. What it does say is that
in the event of a lockout---a condition where an error has been detected and
the equipment moves to a safe non-functioning state---no secondary failure may cause a dangerous condition.
%
This is slightly vague: there are so many possible component failures that could
cause a secondary failure, that it is very difficult not to interpret this
as meaning we have to cater for double simultaneous failures for the most critical sections
of a burner control system.
%
In practise---in the field of EN298: burner controllers---this means triple safeguards to ensure the fuel
is not allowed to flow under an error condition. This would of course leave the possibility of
other more complex double failures tricking the controller into thinking the
combustion was actually safe when it was not.
%
It would be impractical to
perform the number of checks (as the checking is time-consuming human process) required of RFMEA on a system as complex as a burner controller.
It has been shown that, for all but trivial small systems, double failure mode checking
is impossible from a practical perspective.
FMMD can reduce the number of checks to make to achieve double simultaneous failure checking -- but by the very nature
of choosing {\fgs} we will not (in the initial stages) be cross checking all possible
combinations of double failures in all the components.
The diagram in figure~\ref{fig:dubsim1}, uses Euler diagrams to model failure modes (as closed contours) and asterisks
to model failure mode scenarios. The failure scenario is defined by the contours that enclose it.
Consider a system which has four components $c_1 \ldots c_4$.
Consider that each of these components may fail in two ways: $a$ and $b$, i.e $fm(c_1) = fm(c_2) = \{a,b\}$.
Now consider two {\fgs}, $fg1 = \{ c_1, c_2 \}$ and $fg2 = \{ c_3, c_4 \}$.
We list all the possible failure scenarios as $FS1 \ldots FS6$ for each functional group.
For instance $FS5$ is the result of component $c_2$ failing with failure mode $a$ and component $c_1$ failing
with failure mode $b$. We can express this as $c_2 a \cup c_1 b$.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/dubsim1.png}
% dubsim1.png: 612x330 pixel, 72dpi, 21.59x11.64 cm, bb=0 0 612 330
\caption{Simultaneous Failure Mode Scenarios}
\label{fig:dubsim1}
\end{figure}
From figure~\ref{fig:dubsim1} we can see that the double failure modes within the {\fgs} have been examined.
How do we model the double failures that occur across the {\fgs}, for instance
$c_4 a \cup c_1 a$.
It could be argued that because functional groups are chosen for their functionality, and re-usability
that component failures in one should not affect a different {\fg}, but this is a weak argument.
Merely double checking within {\fgs} would be marginally better than
only applying it to the most obvious critical elements of a system.
What is really required is a way that all double simultaneous failures
are checked.
One way of doing this is to apply double failure mode
checking to all {\fgs} higher up in the hierarchy.
This guarantees to check the symptoms caused by the
failure modes in the other {\fgs} with the symptoms
derived from the other {\fgs} modelling for double failures.
%
By traversing down the tree we can automatically determine which
double simultaneous combinations have not been resolved.
%
By applying double simultaneous checking until no single failures
canlead to a top level event, we
double failure move coverage.
To extend the example in figure~\ref{fig:dubsim1} we can map the failure
scenarios.
For Functional Group 1 (FG1), let us map:
\begin{eqnarray*}
FS1 & \mapsto & S1 \\
FS2 & \mapsto & S3 \\
FS3 & \mapsto & S1 \\
FS4 & \mapsto & S2 \\
FS5 & \mapsto & S2 \\
FS6 & \mapsto & S3
\end{eqnarray*}
Thus a derived component, DC1, has the failure modes defined by $fm(DC1) = \{ S1, S2, S3 \}$.
For Functional Group 2 (FG2), let us map:
\begin{eqnarray*}
FS1 & \mapsto & S4 \\
FS2 & \mapsto & S5 \\
FS3 & \mapsto & S5 \\
FS4 & \mapsto & S4 \\
FS5 & \mapsto & S6 \\
FS6 & \mapsto & S5
\end{eqnarray*}
%This AUTOMATIC check can reveal WHEN double checking no longer necessary
%in the hierarchy to cover dub sum !!!!! YESSSS
\section{Example Analysis: Non-Inverting OPAMP}
Consider a non inverting op-amp designed to amplify
a small positive voltage (typical use would be a thermocouple amplifier
taking a range from 0 to 25mV and amplifying it to the useful range of an ADC, approx 0 to 4 volts).
\begin{figure}[h+]
\centering
\includegraphics[width=100pt]{CH5_Examples/mvampcircuit.png}
% mvampcircuit.png: 243x143 pixel, 72dpi, 8.57x5.04 cm, bb=0 0 243 143
\label{fig:mvampcircuit}
\caption{positive mV amplifier circuit}
\end{figure}
We can begin by looking for functional groups.
The resistors $ R1, R2 $ perform a fairly common function in electronics, that of the potential divider.
So we can examine $\{ R1, R2 \}$ as a {\fg}.
\subsection{The Resistor in terms of failure modes}
We can now determine how the resistors can fail.
According to GAS standard EN298 the failure modes to consider for resistors are OPEN and SHORT.
We can express the failure modes of a component using the function $fm$, thus for the resistor, $ fm(R) = \{ OPEN, SHORT \}$.
We have two resistors in this circuit and therefore four component failure modes to consider for the potential divider.
We can now examine what effect each of these failures will have on the {\fg} (see table~\ref{tbl:pd}).
\subsection{Analysing a potential divider in terms of failure modes}
\label{potdivfmmd}
\begin{figure}[h+]
\centering
\includegraphics[width=100pt,keepaspectratio=true]{CH5_Examples/pd.png}
% pd.png: 361x241 pixel, 72dpi, 12.74x8.50 cm, bb=0 0 361 241
\label{fig:pdcircuit}
\caption{Potential Divider Circuit}
\end{figure}
\begin{table}[h+]
\caption{Potential Divider: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Pot Div Effect} & & \textbf{Symptom} \\
\hline
FS1: R1 SHORT & & $LOW$ & & $PDLow$ \\
FS2: R1 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
FS3: R2 SHORT & & $HIGH$ & & $PDHigh$ \\
FS4: R2 OPEN & & $LOW$ & & $PDLow$ \\ \hline
\hline
\end{tabular}
\label{tbl:pd}
\end{table}
We can now create a {\dc} for the potential divider, $PD$.
$$ fm(PD) = \{ PDLow, PDHigh \}$$
Let use now consider the op-amp. According to
FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes:
latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
\subsection{Analysing the non-inverting amplifier in terms of failure modes}
$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
We can now form a {\fg} with $PD$ and $OPAMP$.
\begin{figure}
\centering
\includegraphics[width=300pt]{CH5_Examples/non_inv_amp_fmea.png}
% non_inv_amp_fmea.png: 964x492 pixel, 96dpi, 25.50x13.02 cm, bb=0 0 723 369
\label{fig:invampanalysis}
\end{figure}
\begin{table}[h+]
\caption{NIAMP: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Non In Amp Effect} & & \textbf{Symptom} \\
\hline
FS1: PD HIGH & & $LOW$ & & $Low$ \\
FS2: PD LOW & & $HIGH$ & & $High$ \\ \hline
FS3: OPAMP $L_{UP}$ & & $HIGH$ & & $High$ \\
FS4: OPAMP $L_{DOWN}$ & & $LOW$ & & $Low$ \\
FS5: OPAMP $Noop$ & & $LOW$ & & $Low$ \\
FS5: OPAMP $Low slew$ & & $LOW$ & & $Lowpass$ \\ \hline
\hline
\end{tabular}
\label{tbl:pd}
\end{table}
We can collect symptoms from the analysis and create a derived component
to represent the non-inverting amplifier $NI\_AMP$.
We now have can express the failure mode behaviour of this type of amplifier thus:
$$ fm(NIAMP) = \{ {lowpass}, {high}, {low} \}.$$
\clearpage
\section{Inverting OPAMP}
\label{sec:invamp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/invamp.png}
% invamp.png: 378x207 pixel, 72dpi, 13.34x7.30 cm, bb=0 0 378 207
\caption{Inverting Amplifier Configuration}
\label{fig:invamp}
\end{figure}
%This configuration is interesting from methodology pers.
There are two obvious ways in which we can model this circuit:
One is to do this in two stages, by considering the gain resistors to be an inverted potential divider
and then combining it with the OPAMP failure mode model.
The second is to place all three components in a {\fg}.
Both approaches are followed in the next two sub-sections.
\subsection{Inverting OPAMP using a Potential Divider {\dc}}
We cannot simply re-use the $PD$ from section~\ref{potdivfmmd}---that potential divider would only be valid if the input signal were negative.
We want if possible to have detectable errors, HIGH and LOW are better than OUTOFRANGE.
If we can refine the operational states of the functional group, we can obtain clearer
symptoms.
If we consider the input will only be positive, we can invert the potential divider (see table~\ref{tbl:pdneg}).
\begin{table}[h+]
\caption{Inverted Potential divider: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Pot Div Effect} & & \textbf{Symptom} \\
\hline
FS1: R1 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline
FS2: R1 OPEN & & $LOW$ & & $PDLow$ \\ \hline
FS3: R2 SHORT & & $LOW$ & & $PDLow$ \\ \hline
FS4: R2 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
\hline
\end{tabular}
\label{tbl:pdneg}
\end{table}
We can form a {\dc} from this, and call it an inverted potential divider $INVPD$.
We can now form a {\fg} from the OPAMP and the $INVPD$
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\hline
FS1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\
FS2: INVPD HIGH & & Positive on -input & & $ LOW $ \\
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\ \hline
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamppd}
\end{table}
This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
%The differences are the root causes or component failure modes that
%lead to the symptoms (i.e. the symptoms are the same but causation tree will be different).
$$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
\subsection{Inverting OPAMP analysing with three components in one {\fg}}
%We can use this for a more general case, because we can examine the
%effects on the circuit for each operational case (i.e. input +ve
%or input -ve), see table~\ref{tbl:invamp}.
%Because symptom collection is defined as surjective (from component failure modes
%to symptoms) we cannot have a component failure mode that maps to two different symptoms (within a functional group).
%Note that here we have a more general symptom $ OUT OF RANGE $ which could mean either
%$HIGH$ or $LOW$ output.
% 08feb2012 bugger considering -ve input. It complicates things.
% maybe do an ac amplifier later at some stage.
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis: 3 components}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\hline
FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\
% FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline
FS2: R1 OPEN & & zero output & & $ LOW $ \\
% FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline
FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\
% FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\
% FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\ \hline
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\ \hline
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamp}
\end{table}
$$ fm(INVAMP) = \{ HIGH, LOW, NO GAIN, LOW PASS \} $$
%Much more general. OUT OF RANGE symptom maps to many component failure modes.
%Observability problem... system. In fact can we get a metric of how observable
%a system is using the ratio of component failure modes X op states to a symptom ????
%Could further refine this if MTTF stats available for each component failure.
%\clearpage
\subsection{Comparison between the two approaches}
\label{sec:invampcc}
The first analysis looks at an inverted potential divider, analyses its failure modes,
and from this we obtain a {\dc} (INVPD).
We applied a second analysis stage with the known failure modes of the op-amp and the failure modes of INVPD.
The second analysis (3 components) has to look at the effects of each failure mode of each resistor
on the op-amp circuit. This is more to think about---or in other words an increase in the complexity of the analysis---than comparing the two known failure modes
from the pre-analysed inverted potential divider. The complexity comparison figures
bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
and for the second analysis a CC of $8.(3-2)=16$.
% CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012
%Again, for the two stage analysis, using equation~\ref{eqn:rd}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
%and for the second analysis a CC of $8.(3-2)=16$.
%If the input voltage can be negative the potential divider
%becomes reversed in polarity.
%This means that detecting which failure mode has occurred from knowing the symptom, has become a more difficult task; or in other words
%the observability of the causes of failure are reduced. Instead of the more specific symptoms $HIGH$ or $LOW$ we
%obtain $OUT OF RANGE$ instead.
\clearpage
\section{Op-Amp circuit 1}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit1001.png}
% circuit1001.png: 420x300 pixel, 72dpi, 14.82x10.58 cm, bb=0 0 420 300
\caption{Circuit 1}
\label{fig:circuit1}
\end{figure}
The amplifier in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$.
It would be desirable to represent this circuit as a derived component called say $DiffAMP$.
We begin by identifying functional groups from the components in the circuit.
\subsection{Functional Group: Potential Divider}
For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{potdivfmmd}.
%R1 and R2 perform as a potential divider.
%Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A).
%$$ fm(R) = \{ OPEN, SHORT \}$$
% \begin{table}[ht]
% \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table
% \centering % used for centering table
% \begin{tabular}{||l|c|c|l|l||}
% \hline \hline
% \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\
% \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% % R & wire & res + & res - & description
% \hline
% \hline
% TC1: $R_1$ SHORT & LOW & & LowPD \\
% TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline
% TC3: $R_2$ SHORT & HIGH & & HighPD \\
% TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline
% \hline
% \end{tabular}
% \label{tbl:pdfmea}
% \end{table}
%
% By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived
% component $PD$ to represent the failure mode behaviour
% of a potential divider.
Thus for single failure modes, a potential divider can fail
with $fm(PD) = \{PDHigh,PDLow\}$.
The potential divider is used to program the gain of IC1.
IC1 and PD provide the function of buffering
/amplifying the signal $+V1$.
We can now examine IC1 and PD as a functional group.
\pagebreak[3]
\subsection{Functional Group: Amplifier}
Let use now consider the op-amp. According to
FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes:
latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
$$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
By bringing the $PD$ derived component and the $OPAMP$ into
a functional group we can analyse its failure mode behaviour.
\begin{table}[ht]
\caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain& & AMPLow \\ \hline
TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline
TC5: $PD$ LowPD & Output High & & AMPHigh \\ \hline
TC6: $PD$ HighPD & Output Low : Low Gain& & AMPLow \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$.
We can now create a derived component, $NI\_AMP$, to represent it.
$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} $$
\subsection{The second Stage of the amplifier}
The second stage of this amplifier, following the signal path, is the amplifier
consisting of $R3,R4,IC2$.
This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier.
The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage).
This means the junction of R1 R3 is always +ve.
This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a potential divider with R4 being on the positive side.
It could be on either polarity (i.e. the other way around R4 could be the negative side).
Here it is more intuitive to model the resistors not as a potential divider, but individually.
%This means we are either going to
%get a high or low reading if R3 or R4 fail.
\begin{table}[ht]
\caption{Second Amplifier $SEC\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain & & AMPLow \\ \hline
TC3: $OPAMP$ No Operation & Output Low & & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & & LowPass \\ \hline
TC5: $R3\_open$ & +V2 follower & & AMPIncorrectOutput\\ \hline
TC6: $R3\_short$ & Undefined & & AMPIncorrectOutput \\
& (impedance of IC1 vs +V2) & & \\ \hline
TC5: $R4\_open$ & High or Low output & & AMPIncorrectOutput \\
& +V2$>$+V1 $\mapsto$ High & & \\
& +V1$>$+V2 $\mapsto$ Low & & \\ \hline
TC6: $R4\_short$ & +V2 follower & & AMPIncorrectOutput \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in 4 ways $\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$.
We can now create a derived component, $SEC\_AMP$, to represent it.
$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} $$
%Its failure modes are therefore the same. We can therefore re-use
%the derived component for $NI\_AMP$
\pagebreak[4]
\subsection{Modelling the circuit}
For the final stage of this we can create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
\begin{table}[ht]
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Dual Amplifier} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $NI\_AMP$ AMPHigh & opamp 2 driven high & & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & opamp 2 fdriven low & & DiffAMPHigh \\
TC3: $NI\_AMP$ LowPass & opamp 2 driven with lag & & DiffAMP\_LP \\ \hline
TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & & DiffAMPHigh\\
TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & & DiffAMPLow \\
TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & & DiffAMP\_LP \\ \hline
TC7: $SEC\_AMP$ IncorrectOutput & Output voltage & & DiffAMPIncorrect \\
TC7: $SEC\_AMP$ & $ \neg (V2 - V1) $ & & \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms, we can determine the failure modes for this circuit, $\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We now create a derived component to represent the circuit in figure~\ref{fig:circuit1}.
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP DiffAMPIncorrect\} $$
Its interesting here to note that we can draw a directed graph (figure~\ref{fig:circuit1_dag})
of the failure modes and derived components.
Using this we can trace any top level fault back to
a component failure mode that could have caused it.
In fact we can re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates.
This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially
when it becomes a V2 follower).
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png}
% circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145
\caption{Directed Acyclic Graph of Circuit1 failure modes}
\label{fig:circuit1_dag}
\end{figure}
\clearpage
\section{Op-Amp circuit 2}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002.png}
% circuit2002.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{circuit 2}
\label{fig:circuit2}
\end{figure}
The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
Starting at the input, we have a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267] second order lowpass filter.
The output of this is passed into another Sallen~Key filter -- which although it may have different values
for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use the results.
\begin{figure}[h]
\centering
\includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/blockdiagramcircuit2.png}
% blockdiagramcircuit2.png: 689x83 pixel, 72dpi, 24.31x2.93 cm, bb=0 0 689 83
\caption{Signal Flow though the five pole low pass filter}
\label{fig:blockdiagramcircuit2}
\end{figure}
\paragraph{First Order Low Pass Filter.}
\label{sec:lp}
We begin with the first order low pass filter formed by $R10$ and $C10$.
%
This configuration (or {\fg}) is very commonly
used in electronics to remove unwanted high frequencies/interference
form a signal; Here it is being used as a first stage of
a more sophisticated low pass filter.
%
R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being
that the impedance of the capacitor is lower for higher frequencies.
Thus higher frequencies are attenuated at the point that we
read its output signal.
However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{potdivfmmd}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the latter type for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlp}.\\
\begin{table}[h+]
\caption{FirstOrderLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
& & \textbf{Low Pass Filter} & & \\
\hline
FS1: R10 SHORT & & $No Filtering$ & & $LPnofilter$ \\ \hline
FS2: R10 OPEN & & $No Signal$ & & $LPnosignal$ \\ \hline
FS3: C10 SHORT & & $No Signal$ & & $LPnosignal$ \\ \hline
FS4: C10 OPEN & & $No Filtering$ & & $LPnofilter$ \\ \hline
\hline
\end{tabular}
\end{table}
We can collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
\paragraph{Addition of Buffer Amplifier: First stage.}
The opamp IC1 is being used simply as a buffer. By placing it between the next stages
on the signal path we remove the possibility of unwanted signal feedback.
The buffer is one of the simplest op-amp configurations.
It has no other components, and so we can now form a {\fg}
from the $FirstOrderLP$ and the OPAMP component.
\begin{table}[ht]
\caption{First Stage LP1: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firststage}
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & LP1High \\
TC2: $OPAMP$ LatchDown & Output Low & & LP1Low \\
TC3: $OPAMP$ No Operation & Output Low & & LP1Low \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & LP1filterincorrect \\ \hline
TC5: $LPnofilter $ & No low pass filtering & & LP1filterincorrect \\
TC6: $LPnosignal $ & No input signal & & LP1nosignal \\ \hline
\hline
\hline
\end{tabular}
\end{table}
From the table~\ref{tbl:firststage} we can see three symptoms of failure of
the first stage of this circuit (i.e. R10,C10,IC1).
We can create a derived component for it, lets call it $LP1$.
$$ fm(LP1) = \{ LP1High, LP1Low, LP1filterincorrect, LP1nosignal \} $$
In terms terms of the circuit we have modelled the functional groups $FirstOrderLP$, and
$LP1$. We can represent these on the circuit diagram by drawing contours around the components
on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/circuit2002_LP1.png}
% circuit2002_LP1.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Circuit showing functional groups modelled so far.}
\label{fig:circuit2002_LP1}
\end{figure}
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second.
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & & SKLPHigh \\
TC2: $OPAMP$ LatchDown & Output Low & & SKLPLow \\
TC3: $OPAMP$ No Operation & Output Low & & SKLPLow \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & & SKLPfilterIncorrect \\ \hline
TC5: R1 OPEN & No input signal & & SKLPfilterIncorrect \\
TC6: R1 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC7: R2 OPEN & No input signal & & SKLPnosignal \\
TC8: R2 SHORT & incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC9: C1 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect\\
TC10: C1 SHORT & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\ \hline
TC11: C2 OPEN & reduced/incorrect low pass filtering & & SKLPfilterIncorrect \\
TC12: C2 SHORT & No input signal, low signal & & SKLPnosignal \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:sallenkeylp}
\end{table}
We now can create a derived component to represent the Sallen Key low pass filter, which we can call $SKLP$.
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
\paragraph{A failure mode model of Op-Amp Circuit 2.}
We now have {\dcs} representing the three stages of this filter
and this follows the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
As the signal has to pass though each block/stage
in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg}
in order to get a failure mode model for the whole circuit.
We can index the Sallen Key stages, and these are marked on the ciruit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}.
\begin{figure}[h]+
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png}
% circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Functional Groups in Five Pole Low Pass Filter on schematic}
\label{fig:circuit2002_FIVEPOLE}
\end{figure}
\pagebreak[4]
So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}.
\begin{figure}[h]+
\centering
\includegraphics[width=300pt]{CH5_Examples/circuit2h.png}
% circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603
\caption{FMMD Hierarchy for five pole Low Pass Filter}
\label{fig:circuit2h}
\end{figure}
%\pagebreak[4]
%$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
%$$ fm(LP1) = \{ LP1High, LP1Low, LP1ExtraLowPass, LP1NoLowPass \} $$
\begin{table}[ht]+
\caption{Five Pole Low Pass Filter: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l|l|l||}
\hline \hline
\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $LP1$ LP1High & signal HIGH & & HIGH \\
TC2: $LP1$ SKLPLow & signal LOW & & LOW \\
TC3: $LP1$ LP1filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC4: $LP1$ LP1nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
TC5: $SKLP_1$ High & signal HIGH & & HIGH \\
TC6: $SKLP_1$ Low & signal LOW & & LOW \\
TC7: $SKLP_1$ filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC8: $SKLP_1$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
TC9: $SKLP_2$ High & signal HIGH & & HIGH \\
TC10: $SKLP_2$ Low & signal LOW & & LOW \\
TC11: $SKLP_2$ filterIncorrect & filtering incorrect & & FilterIncorrect \\
TC12: $SKLP_2$ nosignal & no signal propagated & & NO\_SIGNAL \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:fivepole}
\end{table}
We now can create a {\dc} to represent the circuit in figure~\ref{fig:circuit2}, we can call it
$FivePoleLP$ and applying the $fm$ function to it (see table~\ref{tbl:fivepole}) yields $fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}$.
\pagebreak[4]
The failure modes for the low pass filters are very similar, and the propogation of the signal
is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) --
three opamp driven non-inverting low pass filter elements; It is not suprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ may be less observable.
\clearpage
\section{Op-Amp circuit 3}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit3003.png}
% circuit3003.png: 503x326 pixel, 72dpi, 17.74x11.50 cm, bb=0 0 503 326
\caption{Circuit 3}
\label{fig:circuit3}
\end{figure}
%\clearpage
%\section{Standard Non-inverting OP AMP}
This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37].
The circuit uses four 45 degree phase shifts, and an inverting amplifier to provide
gain and the final 180 degrees of phase shift (making a total of 360 degrees of phase shift).
From a fault finding perspective this circuit is less than ideal.
The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating.
%The top level failure modes for the FMMD hierarchy bear this out.
%However, FMMD is a bottom -up analysis methodology and we can therefore still identify
%{\fgs} and apply analysis from a failure mode perspective.
%
If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with
($4.4 +10.2 = 36$) failure modes.
Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
We now create FMMD models and compare the complexity of FMMD and FMEA.
We apply FMMD and start by determining {\fgs}.
We initially identify three types functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}),
a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer
amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively.
We can use these {\fgs} to describe the circuit in block diagram form with arrows indicating the signal path, in figure~\ref{fig:bubbablock}.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png}
% bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295
\caption{Circuit 3: Functional Group Block Diagram.}
\label{fig:bubbablock}
\end{figure}
We can now analyse each of these {\fgs} and create failure mode models for them, and from these
determine {\dcs}.
\subsection{Inverting Amplifier: INVAMP}
This has been analysed in section~\ref{sec:invamp}.
The inverting amplifier, as a {\dc}, has the following failure modes:
$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} $$
and has a CC of 10.
\subsection{Phase shifter: PHS45}
This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
is identical to the low pass filter in circuit topology (see \ref{sec:lp}), but its intended use is different.
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
\begin{table}[h+]
\caption{PhaseShift: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
& & \textbf{Low Pass Filter} & & \\
\hline
FS1: R SHORT & & 90 degree's of phase shift & & $90\_phaseshift$ \\ \hline
FS2: R OPEN & & No Signal & & $nosignal$ \\ \hline
FS3: C SHORT & & Grounded,No Signal & & $nosignal$ \\ \hline
FS4: C OPEN & & 0 degree's of phase shift & & $0\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
% PHS45
$$ fm (PHS45) = \{ 90\_phaseshift, nosignal, 0\_phaseshift \} $$
$$ CC(PHS45) = 4.1 = 4 $$
\subsection{Non Inverting Buffer: NIBUFF.}
The non-inverting buffer functional group, is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
Because we obtain the failure modes for $NIBUFF$ from the literature
its comparison complexity is zero.
$$ CC(NIBUFF) = 0 $$
%\subsection{Forming a functional group from the PHS45 and NIBUFF.}
% describe what we are doing, a buffered 45 degree phase shift element
\subsection{Bringing the functional Groups Together: FMMD model of the `Bubba' Oscillator.}
We could at this point bring all the {\dcs} together into one large functional
group (see figure~\ref{fig:poss1finalbubba})
or we could try to merge smaller stages.
Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy.
\subsection{FMMD Analysis using initially identified functional groups}
\begin{figure}[h+]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
\caption{Bubba Oscillator: One final large functional group.}
\label{fig:poss1finalbubba}
\end{figure}
\begin{table}[h+]
\caption{Bubba Oscillator: Failure Mode Effects Analysis: One Large Functional Group} % title of Table
\label{tbl:bubbalargefg}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{Bubba} & & \textbf{Symptom} \\
& & \textbf{Oscillator} & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS4: $NIBUFF_1$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS5: $NIBUFF_1$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS6: $NIBUFF_1$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS8: $PHS45_2$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS9: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS10: $PHS45_2$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS11: $NIBUFF_2$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS12: $NIBUFF_2$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS13: $NIBUFF_2$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS14: $NIBUFF_2$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS15: $PHS45_3$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS16: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS17: $PHS45_3$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS18: $NIBUFF_3$ $L_{up}$ & & output high No Oscillation & & $NO_{osc}$ \\
FS19: $NIBUFF_3$ $L_{dn}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS20: $NIBUFF_3$ $N_{oop}$ & & output low No Oscillation & & $NO_{osc}$ \\
FS21: $NIBUFF_3$ $L_{slew}$ & & signal lost & & $NO_{osc}$ \\ \hline
FS22: $PHS45_4$ $0\_phaseshift$ & & osc frequency high & & $HI_{fosc}$ \\
FS23: $PHS45_4$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS24: $PHS45_4$ $90\_phaseshift$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
FS25: $INVAMP$ $OUTOFRANGE$ & & signal lost & & $NO_{osc}$ \\
FS26: $INVAMP$ $ZEROOUTPUT$ & & signal lost & & $NO_{osc}$ \\
FS27: $INVAMP$ $NOGAIN$ & & signal lost & & $NO_{osc}$ \\
FS28: $INVAMP$ $LOWPASS$ & & signal lost & & $NO_{osc}$ \\ \hline
% FS1: $CAP_{10nF}$ $OPEN$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
% FS1: $CAP_{10nF}$ $SHORT$ & & osc frequency low & & $LO_{fosc}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:bubbalargefg} we can show that for single failure modes, applying $fm$ to the bubba oscillator
returns three failure modes,
$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}, LO_{fosc} \} . $$
For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
$$ CC = 28.8 = 224$$
To obtain the total comparison complexity $TCC$, we need to add the complexity from the
{\dcs} that $BubbaOscillator$ was built from.
$$ TCC = 28.8 + 4.4 + 4.0 + 10 = 250$$
%As we have re-used the analysis for BUFF45 we could even reasonably remove
%$3.4=12$ from this result, because the results from $BUFF45$ have been used four times.
Traditional FMEA would have lead us to a much higher comparison complexity
of $468$ failure modes to check against components.
The analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups, by allowing more stages of hierarchy and hopefully
this should lead a further reduction in the complexity comparison figure.
\clearpage
\subsection{FMMD Analysis using more hierarchical stages}
The example above---from the initial {\fgs}---used one very large functional group to model the circuit.
This mean a quite large comparison complexity for this final stage.
We should be able to determine smaller {\fgs} and refine the model further.
\begin{figure}[h+]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss2finalbubba.png}
% largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
\caption{Bubba Oscillator: Smaller Functional Groups, One more FMMD hierarchy stage.}
\label{fig:poss2finalbubba}
\end{figure}
%
We take the $NIBUFF$ and $PHS45$
{\dcs} into a {\fg} giving the {\dc} $BUFF45$.
$BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
and with those three, form a $PHS135BUFFERED$
functional group.
$PHS135BUFFERED$ is a {\dc} representing an actively buffered $135^{\circ}$ phase shifter.
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers always apply a $180^{\circ}$ phase shift.}, form a {\fg}
providing an amplified $225^{\circ}$ phase shift, which we can call $PHS225AMP$.
%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$---
Finally we can merge $PHS135BUFFERED$ and $PHS225AMP$ in a final stage (see figure~\ref{fig:poss2finalbubba})
%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45)
%we can combine three $BUFF45$'s to make
%a $135^{\circ}$ buffer phase shifter (PHS135BUFFERED).
%We can combine a $PHS45$ and a $NIBUFF$ to create
%and an amplifying $225^{\circ}$ phase shifter (PHS225AMP).
% By combining PHS225AMP and PHS135BUFFERED we can create a more modularised hierarchical
% model of the bubba oscillator.
% The proposed hierarchy is shown in figure~\ref{fig:poss2finalbubba}.
\begin{table}[h+]
\caption{BUFF45: Failure Mode Effects Analysis} % title of Table
\label{tbl:buff45}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{BUFF45} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $0\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $90\_phaseshift$ \\ \hline
FS4: $NIBUFF_1$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS5: $NIBUFF_1$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS6: $NIBUFF_1$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS7: $NIBUFF_1$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:buff45}, we can create a derived component $BUFF45$ which has the following failure modes:
$$
fm (BUFF45) = \{ 90\_phaseshift, 0\_phaseshift, NO\_signal .\}
$$
$$ CC(BUFF45) = 7.1 = 7 $$
We can now combine three $BUFF45$ {\dcs} and create a $PHS135BUFFERED$ {\dc}.
\begin{table}[h+]
\caption{PHS135BUFFERED: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs135buffered}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{PHS135 Buffered} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS4: $PHS45_2$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS5: $PHS45_2$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS6: $PHS45_2$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS7: $PHS45_3$ $0\_phaseshift$ & & phase shift low & & $90\_phaseshift$ \\
FS8: $PHS45_3$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS9: $PHS45_3$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:phs135buffered}, we can create a derived component $PHS135BUFFERED$ which has the following failure modes:
$$
fm (PHS135BUFFERED) = \{ 90\_phaseshift, 180\_phaseshift, NO\_signal .\}
$$
$$ CC (PHS135BUFFERED) = 3.2 = 6 $$
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
\begin{table}[h+]
\caption{PHS225AMP: Failure Mode Effects Analysis} % title of Table
\label{tbl:phs225amp}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{PHS225AMP} & & \textbf{Symptom} \\
& & \textbf{Oscillator} & & \\
\hline
FS1: $PHS45_1$ $0\_phaseshift$ & & phase shift low & & $270\_phaseshift$ \\
FS2: $PHS45_1$ $no\_signal$ & & signal lost & & $NO_{signal}$ \\
FS3: $PHS45_1$ $90\_phaseshift$ & & phase shift high & & $180\_phaseshift$ \\ \hline
FS4: $INVAMP$ $L_{up}$ & & output high & & $NO_{signal}$ \\
FS5: $INVAMP$ $L_{dn}$ & & output low & & $NO_{signal}$ \\
FS6: $INVAMP$ $N_{oop}$ & & output low & & $NO_{signal}$ \\
FS7: $INVAMP$ $L_{slew}$ & & signal lost & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:phs225amp}, we can create a derived component $PHS225AMP$ which has the following failure modes:
$$
fm (PHS225AMP) = \{ 270\_phaseshift, 180\_phaseshift, NO\_signal .\}
$$
$$ CC(PHS225AMP) = 7.1 $$
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these.
\begin{table}[h+]
\caption{BUBBAOSC: Failure Mode Effects Analysis} % title of Table
\label{tbl:bubba2}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Scenario} & & \textbf{BUBBAOSC} & & \textbf{Symptom} \\
& & & & \\
\hline
FS1: $PHS135BUFFERED$ $180\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS2: $PHS135BUFFERED$ $no\_signal$ & & signal lost & & $NO_{osc}$ \\
FS3: $PHS135BUFFERED$ $90\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\ \hline
FS4: $PHS225AMP$ $270\_phaseshift$ & & phase shift high & & $LO_{fosc}$ \\
FS5: $PHS225AMP$ $180\_phaseshift$ & & phase shift low & & $HI_{osc}$ \\
FS6: $PHS225AMP$ $NO\_signal$ & & lost signal & & $NO_{signal}$ \\ \hline
\hline
\end{tabular}
\end{table}
Collecting symptoms from table~\ref{tbl:bubba2}, we can create a derived component $BUBBAOSC$ which has the following failure modes:
$$
fm (BUBBAOSC) = \{ LO_{fosc}, HI_{osc}, NO\_signal .\}
$$
%We could trace the DAGs here and ensure that both analysis strategies worked ok.....
$$ CC(BUBBAOSC) = 6.(2-1) = 6 $$
We can now add the comparison complexities for all levels of the analysis represented in figure~\ref{fig:poss2finalbubba}.
We have at the lowest level two $PHS45$ {\dcs} giving a CC of 8 and $INVAMP$ with a CC of 10, at the next level four $BUFF45$ {\dcs} giving $(4-1).7=21$,
and penultimately $PHS135BUFFERED$ with 6 and $PHS225AMP$ with 7. The final top stage of the hierarchy, $BUBBAOSC$ has a CC of 6.
Our total comparison complexity is $58$, this contrasts with $468$ for traditional `flat' FMEA,
and $250$ for our first stage functional groups analysis.
This has meant a drastic reduction in the number of failure-modes to check against components.
It has also given us five {\dcs}, building blocks, which may be re-used for similar circuitry
to analyse in the future.
\subsection{Comparing both approaches}
In general with large functional groups the comparison complexity
is higher, by an order of $O(N^2)$.
Smaller functional groups mean less by-hand checks are required.
It also means a more finely grained model. This means that
there are more {\dcs} and this increases the possibility of re-use.
The more we can modularise, the more we decimate the $O(N^2)$ effect
of complexity comparison.
Reference in New Issue View Git Blame Copy Permalink