robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9818d393ec
Robin_PHD/submission_thesis/CH5_Examples/copy.tex
Robin Clark 9818d393ec Sigma delta CC figures written into table
2013-02-03 09:33:43 +00:00

2615 lines
107 KiB
TeX
Raw Blame History

%\clearpage %\pagenumbering{arabic}
%
% %% NEED TWO MORE EXAMPLES --- 02JUN2012
%
% * ENVIRONMENTAL CASE (perhaps temp on an opto-coupler
%
% * OPERATIONAL STATE (perhaps a self test on an ADC where it is set to output and driven high and low and read)
% to do: 23SEP2012
%
% 90_degrees is an incorrect failure mode in bubba and must be purged
%
% summing junction in sigma delta is not a valid fg, prob have to include
% the op-amp....
%
% very annoying to have to pull out the comparison complexity.
% makes the comparisons between approaches have less meaning.
% have to discuss this.
\label{sec:chap5}
This chapter demonstrates FMMD applied to
a variety of typical embedded system components including analogue/digital and electronics/software hybrids.
%In order to implement FMMD in practise, we review the basic concepts and processes of the methodology.%
%Each example has been chosen to demonstrate
%FMMD applied to
%They go in salads too
% % The first section
% % ~\ref{sec:determine_fms} looks at how we determine failure mode sets for {\bcs}
% % (in the context of the safety standards
% % we are using for our particular project).
%
%This is followed by several example FMMD analyses,
\begin{itemize}
\item The first example applies FMMD to an operational amplifier inverting amplifier (see section~\ref{sec:invamp});
%using an op-amp and two resistors;
this demonstrates re-use of a potential divider {\dc} from section~\ref{subsec:potdiv}.
This amplifier is analysed twice, using different compositions of {\fgs}.
The two approaches, i.e. choice of membership for {\fgs}, are then discussed.
%
\item Section~\ref{sec:diffamp} analyses a circuit where two op-amps are used
to create a differencing amplifier.
Building on the two approaches from section~\ref{sec:invamp}, re-use of the non-inverting amplifier {\dc} from section~\ref{sec:invamp}
is examined,
where re-use is appropriate in the first stage and
not in the second.
%
\item Section~\ref{sec:fivepolelp} analyses a Sallen-Key based five pole low pass filter.
It demonstrates re-use of the first Sallen-Key analysis, %encountered as a {\dc}
increasing test efficiency. This example also serves to show a deep hierarchy of {\dcs}.
%
\item Section~\ref{sec:bubba} shows FMMD applied to a
loop topology---using a `Bubba' oscillator---demonstrating how FMMD differs from fault diagnosis techniques.
%which uses
%four op-amp stages with supporting components.
Two analysis strategies are employed, one using
initially identified {\fgs} and the second using a more complex hierarchy of %{\fgs} and
{\dcs} showing
that a finer grained/more de-composed approach offers more re-use possibilities in future analysis tasks.
%
\item Section~\ref{sec:sigmadelta} demonstrates FMMD can be applied to mixed analogue and digital circuitry
by applying FMMD to a sigma delta ADC.
%shows FMMD analysing the sigma delta
%analogue to digital converter---again with a circular signal path---which operates on both
%analogue and digital signals.
\item Section~\ref{sec:Pt100} demonstrates FMMD being applied to commonly used Pt100
safety critical temperature sensor circuit, this is analysed for single and double failure modes.
\end{itemize}
%~\ref{sec:chap4}
%can be re-used. %, but with provisos.
%
%The first
%(see section~\ref{sec:diffamp})
%
%
%
%
% Moving Pt100 to metrics
%
%Sections~\ref{sec:Pt100}~and~\ref{sec:Pt100d} demonstrate both statistical
%failure mode classification % analysis for top level events traced back to {\bc} failure modes
%and the analysis of double simultaneous failure modes.
%
% Now in CHAPTER 6: Finally section~\ref{sec:elecsw} demonstrates FMMD analysis of a combined electronic and software system.
% \section{Basic Concepts Of FMMD}
%
% The %idea
% driving concept behind FMMD is to modularise, from the bottom-up, failure mode effects analysis.
% Traditional FMEA takes part failure modes and then determines what effect each of these
% failure modes could have on the system under investigation.
%
% Traditional FMEA, by looking at {\bc}--- or `part'---level failure modes,
% involves what we could term a large `reasoning~distance'; that is to say
% in a complex system, taking a particular failure mode, of a particular {\bc}
% and then trying to predict the outcome in the context of an entire system, is
% a leap~of~faith.
% %
% There will be numerous possibilities of effects and side effects on
% other components in the system; more than is practically possible to rigorously examine.
% To simply trace a simple route from a particular {\bc} failure mode to a top level system error/symptom
% oversimplifies the task of failure mode analysis, and makes the process arbitrary and error prone.
%
% Fortunately most real-world designs take a modular approach. In Electronics
% for instance, commonly used configurations of parts are used to create
% amplifiers, filters, potential dividers etc.
% %It is therefore natural to collect parts to form functional groups.
% It is common design practise in electronics, to use collections of parts in specific configurations
% to form well-defined and well-known building blocks.
% These commonly used configurations of parts, or {\fgs}, will
% also have a specific failure mode behaviour.
% We can take a {\fg}, analyse it using FMEA and determine its {\em symptoms} of failure.
%
% When we have done this we can treat this {\fg} as a component in its own right.
% %
% If we term {\bcs} as the components we start analysis with and components we have determined
% from functional groups as derived components, we can modularise the FMEA process.
% %
% If we start building {\fgs} from derived components we can start to build a modular
% hierarchical failure mode model. Modularising FMEA should give benefits of reducing reasoning distance,
% allowing re-use of modules and reducing the number of by-hand analysis checks to consider.
%
% As all forms of FMEA are bottom-up processes---we start with {\bcs}---the lowest or most basic components/parts.
% %and with their failure modes.
% % It is worth defining clearly the term part here.
% % Geoffry Hall writing in Space Craft Systems Engineering~\cite{scse}[p.619], defines it thus:
% % ``{Part(definition)}---The Lowest level of assembly, beyond which further disassembly irrevocably destroys the item''.
% % In the field of electronics a resistor, capacitor and op-amp would fit this definition of a `part'.
% % Failure modes for part types can be found in the literature~\cite{fmd91}\cite{mil1991}.
% %
% %
% %
% % \paragraph {Definitions: for practical FMMD analysis}
% %
% % \begin{itemize}
% % \item {\bc} - is taken to mean a `part' as defined above~\cite{scse}[p.619]. We should be able to define a set of failure modes for every {\bc}.
% % \item {\fm} - failure mode - the ways in which a component can fail
% % \item {\fg} - a collection of components chosen to perform a particular task
% % \item {\em symptom} - a failure mode of a functional group caused by one or more of its component failure modes.
% % \item {\dc} - a new component derived from an analysed {\fg}
% % \end{itemize}
%
%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
%
% This section might fit in with the literature review.... Chris thinks its not relevant here
% and I agree 20OCT2012
%
%%%% XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
% % \section{ FMMD overview}
% %
% % In the next sections we apply FMMD to electronic circuits, analogue/digital and electronic/software hybrids.
% % The basic principles of FMMD are presented here for clarity.
% %
% % \paragraph{ Creating a fault hierarchy.}
% % The main concept of FMMD is to build a hierarchy of failure behaviour from the {\bc}
% % level up to the top, or system level, with analysis stages between each
% % transition to a higher level in the hierarchy.
% %
% %
% % The first stage is to choose
% % {\bcs} that interact and naturally form {\fgs}. The initial {\fgs} are collections of base components.
% % %These parts all have associated fault modes. A module is a set fault~modes.
% % From the point of view of failure analysis,
% % we are not interested in the components themselves, but in the ways in which they can fail.
% %
% % A {\fg} is a collection of components that perform some simple task or function.
% % %
% % In order to determine how a {\fg} can fail,
% % we need to consider all the failure modes of all its components.
% % %
% % By analysing the fault behaviour of a `{\fg}' with respect to all its components failure modes,
% % we can determine its symptoms of failure.
% % %In fact we can call these
% % %the symptoms of failure for the {\fg}.
% %
% % With these symptoms (a set of derived faults from the perspective of the {\fg})
% % we can now state that the {\fg} (as an entity in its own right) can fail in a number of well defined ways.
% % %
% % In other words, we have taken a {\fg} and analysed how
% % \textbf{it} can fail according to the failure modes of its components, and then can
% % determine the {\fg} failure modes.
% %
% % \paragraph{Creating a derived component.}
% % We create a new `{\dc}' which has
% % the failure symptoms of the {\fg} from which it was derived, as its set of failure modes.
% % This new {\dc} is at a higher `failure~mode~abstraction~level' than {\bcs}.
% % %
% % \paragraph{An example of a {\dc}.}
% % To give an example of this, we could look at the components that
% % form, say an amplifier. We look at how all the components within it
% % could fail and how that would affect the amplifier.
% % %
% % The ways in which the amplifier can be affected are its symptoms.
% % %
% % When we have determined the symptoms, we can
% % create a {\dc} (called say AMP1) which has a {\em known set of failure modes} (i.e. its symptoms).
% % We can now treat $AMP1$ as a pre-analysed, higher level component.
% % %The amplifier is an abstract concept, in terms of the components.
% % To a make an `amplifier' we have to connect a group of components
% % in a specific configuration. This specific configuration corresponds to
% % a {\fg}. Our use of it as a subsequent building block corresponds to a {\dc}.
% %
% %
% % %What this means is the `fault~symptoms' of the module have been derived.
% % %
% % %When we have determined the fault~modes at the module level these can become a set of derived faults.
% % %By taking sets of derived faults (module level faults) we can combine these to form modules
% % %at a higher level of fault abstraction. An entire hierarchy of fault modes can now be built in this way,
% % %to represent the fault behaviour of the entire system. This can be seen as using the modules we have analysed
% % %as parts, parts which may now be combined to create new functional groups,
% % %but as parts at a higher level of fault abstraction.
% % \paragraph{Building the Hierarchy.}
% % We can now apply the same process of building {\fgs} but with {\dcs} instead of {\bcs}.
% % We can bring {\dcs}
% % together to form functional groups and then create new {\dcs}
% % at even higher abstraction levels. Eventually we will have a hierarchy
% % that converges to one top level {\dc}. At this stage we have a complete failure
% % mode model of the system under investigation.
% %
% % \begin{figure}[h]
% % \centering
% % \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/tree_abstraction_levels.png}
% % % tree_abstraction_levels.png: 495x292 pixel, 72dpi, 17.46x10.30 cm, bb=0 0 495 292
% % \caption{FMMD Hierarchy showing ascending abstraction levels}
% % \label{fig:treeabslev}
% % \end{figure}
% %
% % Figure~\ref{fig:treeabslev} shows an FMMD hierarchy, where the process of creating a {\dc} from a {\fg}
% % is shown as a `$\derivec$' symbol.
% %
% %
% %
% %
\clearpage
\section{Example Analysis: Inverting OPAMP}
\label{sec:invamp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/invamp.png}
% invamp.png: 378x207 pixel, 72dpi, 13.34x7.30 cm, bb=0 0 378 207
\caption{Inverting Amplifier Configuration}
\label{fig:invamp}
\end{figure}
%This configuration is interesting from methodology pers.
There are two obvious ways in which we can model this circuit:
One is to do this in two stages, by considering the gain resistors to be a potential divider
and then combining it with the OPAMP failure mode model.
The second is to place all three components in one {\fg}.
Both approaches are followed in the next two sub-sections.
\subsection{First Approach: Inverting OPAMP using a Potential Divider {\dc}}
Ideally we would like to re-use {\dcs} from the $PD$ from section~\ref{subsec:potdiv}, which on initial inspection, %at first glance,
looks a good candidate for this.
%
However,
we cannot directly re-use $PD$ , and not just because
the potential divider is floating i.e. that the polarity of
the R2 side of the potential divider is determined by the output from the op-amp.
%
The circuit schematic stipulates that the input is positive.
What we have then, in normal operation, is an inverted potential divider.
%, but in addition, it facilitates the
%output feedback forming a current balance with the input signal. %---that potential divider would only be valid if the input signal were negative.
%We want if possible to have detectable errors.
%HIGH and LOW failures are more observable than the more generic failure modes such as `OUTOFRANGE'.
%If we can refine the operational states of the functional group, we can obtain clearer
%symptoms.
%Were the input to be guaranteed % the input will only be
We can therefore view it as an inverted potential divider
and analyse it as such; see table~\ref{tbl:pdneg}.
%
We assume a valid range for the output value of this circuit.
Thus negative or low voltages can be considered as LOW
and voltages higher than this range considered as HIGH.
\begin{table}[h+]
\caption{Inverted Potential divider: Single failure analysis}
\begin{tabular}{|| l | l | c | c | l ||} \hline
\textbf{Failure Cause} & & \textbf{Inverted Pot Div Effect} & & \textbf{Symptom} \\
\hline
FC1: R1 SHORT & & $HIGH$ & & $PDHigh$ \\ \hline
FC2: R1 OPEN & & $LOW$ & & $PDLow$ \\ \hline
FC3: R2 SHORT & & $LOW$ & & $PDLow$ \\ \hline
FC4: R2 OPEN & & $HIGH$ & & $PDHigh$ \\ \hline
\hline
\end{tabular}
\label{tbl:pdneg}
\end{table}
\begin{figure}[h]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
\node[component] (R1) at (0,-0.7) {$R_1$};
\node[component] (R2) at (0,-1.9) {$R_2$};
\node[failure] (R1SHORT) at (\layersep,-0) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-1.1) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-2.4) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-3.7) {$R2_{Op}$};
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-0.7) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-2.2) {$PD_{LOW}$};
\path (R1OPEN) edge (PDLOW);
\path (R2SHORT) edge (PDLOW);
\path (R2OPEN) edge (PDHIGH);
\path (R1SHORT) edge (PDHIGH);
\end{tikzpicture}
\caption{Failure symptoms of the `Inverted Potential Divider' $INVPD$}
\label{fig:pdneg}
\end{figure}
We can form a {\dc} from the analysis results in table~\ref{tbl:pdneg} %this,
and call it an inverted potential divider $INVPD$.
We can now progress to the final stage of analysis for this amplifier,
by forming a {\fg} with the OpAmp and our new {\dc} $INVPD$.
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis using the $PD$ {\dc}}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\textbf{Failure} & & \textbf{Inverted Amp. Effect} & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
\hline
FC1: INVPD LOW & & NEGATIVE on -input & & $ HIGH $ \\
FC2: INVPD HIGH & & Positive on -input & & $ LOW $ \\ \hline
FC5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\
FC6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\
FC7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\
FC8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamppd}
\end{table}
%%This gives the same results as the analysis from figure~\ref{fig:invampanalysis}.
\begin{figure}[h+]
\centering
\begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
\tikzstyle{every pin edge}=[<-,shorten <=1pt]
\tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
\tikzstyle{component}=[fmmde, fill=green!50];
\tikzstyle{failure}=[fmmde, fill=red!50];
\tikzstyle{symptom}=[fmmde, fill=blue!50];
\tikzstyle{annot} = [text width=4em, text centered]
% Draw the input layer nodes
%\foreach \name / \y in {1,...,4}
% This is the same as writing \foreach \name / \y in {1/1,2/2,3/3,4/4}
% \node[component, pin=left:Input \#\y] (I-\name) at (0,-\y) {};
\node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
\node[component] (R1) at (0,-6) {$R_1$};
\node[component] (R2) at (0,-7.6) {$R_2$};
%\node[component] (C-3) at (0,-5) {$C^0_3$};
%\node[component] (K-4) at (0,-8) {$K^0_4$};
%\node[component] (C-5) at (0,-10) {$C^0_5$};
%\node[component] (C-6) at (0,-12) {$C^0_6$};
%\node[component] (K-7) at (0,-15) {$K^0_7$};
% Draw the hidden layer nodes
%\foreach \name / \y in {1,...,5}
% \path[yshift=0.5cm]
\node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
\node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
\node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
\node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
\node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
\node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
\node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
\node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
% Draw the output layer node
% % Connect every node in the input layer with every node in the
% % hidden layer.
% %\foreach \source in {1,...,4}
% % \foreach \dest in {1,...,5}
\path (OPAMP) edge (OPAMPLU);
\path (OPAMP) edge (OPAMPLD);
\path (OPAMP) edge (OPAMPNP);
\path (OPAMP) edge (OPAMPLS);
\path (R1) edge (R1SHORT);
\path (R1) edge (R1OPEN);
\path (R2) edge (R2SHORT);
\path (R2) edge (R2OPEN);
% Potential divider failure modes
%
\node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
\node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
\path (R1OPEN) edge (PDLOW);
\path (R2SHORT) edge (PDLOW);
\path (R2OPEN) edge (PDHIGH);
\path (R1SHORT) edge (PDHIGH);
\node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$};
\node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$};
\node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$};
\path (PDLOW) edge (AMPHIGH);
\path (OPAMPLU) edge (AMPHIGH);
\path (PDHIGH) edge (AMPLOW);
\path (OPAMPNP) edge (AMPLOW);
\path (OPAMPLD) edge (AMPLOW);
\path (OPAMPLS) edge (AMPLP);
\end{tikzpicture}
% End of code
\caption{Full DAG representing failure modes and symptoms of the Inverting Op-amp Circuit}
\label{fig:invdag1}
\end{figure}
%The differences are the root causes or component failure modes that
%lead to the symptoms (i.e. the symptoms are the same but causation tree will be different).
We can now express the failure modes for the {\dc} $INVAMP$ thus;
%% $$ fm(INVAMP) = \{ {lowpass}, {high}, {low} \}.$$
$$ fm(INVAMP) = \{ HIGH, LOW, LOW PASS \} .$$
We can draw a DAG representing the failure mode behaviour of
this amplifier (see figure~\ref{fig:invdag1}). Note that this allows us
to traverse from system level, or top failure modes to base component failure modes.
%%%%% 12DEC 2012 UP to here in notes from AF email.
\clearpage
\subsection{Second Approach: Inverting OpAmp analysing with three components in one larger {\fg}}
\label{subsec:invamp2}
Here we analyse the same problem without using an intermediate $PD$
derived component. We would have to do this
if the input voltage was not constrained to being positive.
This concern is re-visited in the differencing amplifier example in the next section.
%We can view the failure mode mode produced with FMMD as a DAG
%in figure~\ref{fig:
%We can use this for a more general case, because we can examine the
%effects on the circuit for each operational case (i.e. input +ve
%or input -ve), see table~\ref{tbl:invamp}.
%Because symptom collection is defined as surjective (from component failure modes
%to symptoms) we cannot have a component failure mode that maps to two different symptoms (within a functional group).
%Note that here we have a more general symptom $ OUT OF RANGE $ which could mean either
%$HIGH$ or $LOW$ output.
% 08feb2012 bugger considering -ve input. It complicates things.
% maybe do an ac amplifier later at some stage.
\begin{table}[h+]
\caption{Inverting Amplifier: Single failure analysis: 3 components}
\begin{tabular}{|| l | l | c | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{Inverted Amp Effect} & & \textbf{Symptom} \\ \hline
\textbf{Failure} & & \textbf{Inverting Amp. Effect} & & \textbf{Derived Component} \\
\textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
\hline
FS1: R1 SHORT & & NEGATIVE out of range & & $ HIGH $ \\
% FS1: R1 SHORT -ve in & & POSITIVE out of range & & $ OUT OF RANGE $ \\ \hline
FS2: R1 OPEN & & zero output & & $ LOW $ \\ \hline
% FS2: R1 OPEN -ve in & & zero output & & $ ZERO OUTPUT $ \\ \hline
FS3: R2 SHORT & & $INVAMP_{nogain} $ & & $ LOW $ \\
% FS3: R2 SHORT -ve in & & $INVAMP_{nogain} $ & & $ NO GAIN $ \\ \hline
FS4: R2 OPEN & & NEGATIVE out of range $ $ & & $ LOW$ \\ \hline
% FS4: R2 OPEN -ve in & & POSITIVE out of range $ $ & & $OUT OF RANGE $ \\ \hline
FS5: AMP L\_DN & & $ INVAMP_{low} $ & & $ LOW $ \\
FS6: AMP L\_UP & & $INVAMP_{high} $ & & $ HIGH $ \\
FS7: AMP NOOP & & $INVAMP_{nogain} $ & & $ LOW $ \\
FS8: AMP LowSlew & & $ slow output \frac{\delta V}{\delta t} $ & & $ LOW PASS $ \\ \hline
\hline
\end{tabular}
\label{tbl:invamp}
\end{table}
%Much more general. OUT OF RANGE symptom maps to many component failure modes.
%Observability problem... system. In fact can we get a metric of how observable
%a system is using the ratio of component failure modes X op states to a symptom ????
%Could further refine this if MTTF stats available for each component failure.
\clearpage
\subsection{Comparison between the two approaches}
\label{sec:invampcc}
The first analysis used two FMMD stages.
The first stage analysed an inverted potential divider %, analyses its failure modes,
giving the {\dc} (INVPD).
The second stage analysed a {\fg} comprised of the INVPD and an OpAmp.
%
The second analysis (3 components) has to look at the effects of each failure mode of each resistor
on the op-amp circuit. This meant more work for the analyst---that is
an increase in the complexity of the analysis---compared to
checking the two known failure modes
from the pre-analysed inverted potential divider against the OpAmp.
%
Both analysis strategies obtained the same failure modes for the
inverting amplifier (i.e. the same failure modes for the {\dc} INVAMP).
\subsection{Conclusion}
All FMEA is performed in the context of the environment and functionality of the enitity
under analysis.
This example shows that for the condition where the input voltage
is constrained to being positive, we can apply two levels of de-composition.
For the unconstrained case, we have to consider all three components as one larger {\fg}.
% METRICS The complexity comparison figures
% METRICS bear this out. For the two stage analysis, using equation~\ref{eqn:rd2}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
% METRICS and for the second analysis a CC of $8.(3-2)=16$.
% CAN WE MODULARISE TOO FAR???? CAN W MAKE IT TOO FINELY GRAINED. 08FEB2012
%Again, for the two stage analysis, using equation~\ref{eqn:rd}, we obtain a CC of $4.(2-1)+6.(2-1)=10$
%and for the second analysis a CC of $8.(3-2)=16$.
%If the input voltage can be negative the potential divider
%becomes reversed in polarity.
%This means that detecting which failure mode has occurred from knowing the symptom, has become a more difficult task; or in other words
%the observability of the causes of failure are reduced. Instead of the more specific symptoms $HIGH$ or $LOW$ we
%obtain $OUT OF RANGE$ instead.
\clearpage
\section{Differencing Amplifier using two op-amps}
\label{sec:diffamp}
\begin{figure}[h]
\centering
\includegraphics[width=370pt]{CH5_Examples/circuit1001.png}
% circuit1001.png: 420x300 pixel, 72dpi, 14.82x10.58 cm, bb=0 0 420 300
\caption{Circuit 1}
\label{fig:circuit1}
\end{figure}
The circuit in figure~\ref{fig:circuit1} amplifies the difference between
the input voltages $+V1$ and $+V2$.
The circuit is configured so that both inputs use the non-inverting (high impedance inputs)
ensuring that they will not
electrically load the previous stage.
%over-load and/or unduly influence
%the sensors or circuitry supplying the voltage signals used for measurement.
Because this differencing amplifier presents high impedance to both inputs, and only uses two amplifiers,
this is a useful circuit wherever a high impedance differencing amplifier is required.
It is a configuration that will be used in many electronic circuits.
It would therefore, be desirable to represent this circuit as a {\dc} called say $DiffAMP$.
We begin by identifying {\fgs} from the components in the circuit.
% WE CAN RE_USE THE NONINVAMP FROM CHAPTER 4 HERE.......
% \subsection{Functional Group: Potential Divider}
% For the gain setting resistors R1,R2 -- we can re-use the potential divider from section~\ref{subsec:potdiv}.
%
% %R1 and R2 perform as a potential divider.
% %Resistors can fail OPEN and SHORT (according to GAS burner standard EN298 Appendix A).
% %$$ fm(R) = \{ OPEN, SHORT \}$$
%
%
%
% % \begin{table}[ht]
% % \caption{Potential Divider $PD$: Failure Mode Effects Analysis: Single Faults} % title of Table
% % \centering % used for centering table
% % \begin{tabular}{||l|c|c|l|l||}
% % \hline \hline
% % \textbf{Test} & \textbf{Pot.Div} & \textbf{ } & \textbf{General} \\
% % \textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% % % R & wire & res + & res - & description
% % \hline
% % \hline
% % TC1: $R_1$ SHORT & LOW & & LowPD \\
% % TC2: $R_1$ OPEN & HIGH & & HighPD \\ \hline
% % TC3: $R_2$ SHORT & HIGH & & HighPD \\
% % TC4: $R_2$ OPEN & LOW & & LowPD \\ \hline
% % \hline
% % \end{tabular}
% % \label{tbl:pdfmea}
% % \end{table}
% %
% % By collecting the symptoms in table~\ref{tbl:pdfmea} we can create a derived
% % component $PD$ to represent the failure mode behaviour
% % of a potential divider.
%
% Thus for single failure modes, a potential divider can fail
% with $fm(PD) = \{PDHigh,PDLow\}$.
%
%
% The potential divider is used to program the gain of IC1.
% IC1 and PD provide the function of buffering
% /amplifying the signal $+V1$.
% We can now examine IC1 and PD as a functional group.
%
% \pagebreak[3]
% \subsection{Functional Group: Amplifier first stage}
%
% Let use now consider the op-amp. According to
% FMD-91~\cite{fmd91}[3-116] an op-amp may have the following failure modes:
% latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%).
%
%
% $$ fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} $$
%
%
% By bringing the $PD$ derived component and the $OPAMP$ into
% a functional group we can analyse its failure mode behaviour.
%
%
% \begin{table}[ht]
% \caption{Non Inverting Amplifier $NI\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
% \centering % used for centering table
% \begin{tabular}{||l|c|c|l|l||}
% \hline \hline
% %\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
% %\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
% \textbf{Failure} & & \textbf{Amplifier Effect} & & \textbf{Derived Component} \\
% \textbf{cause} & & \textbf{ } & & \textbf{Failure Mode} \\
%
% % R & wire & res + & res - & description
% \hline
% \hline
% TC1: $OPAMP$ LatchUP & & Output High & & AMPHigh \\
% TC2: $OPAMP$ LatchDown & & Output Low : Low gain& & AMPLow \\ \hline
% TC3: $OPAMP$ No Operation & & Output Low & & AMPLow \\
% TC4: $OPAMP$ Low Slew & & Low pass filtering & & LowPass \\ \hline
% TC5: $PD$ LowPD & & Output High & & AMPHigh \\ \hline
% TC6: $PD$ HighPD & & Output Low : Low Gain& & AMPLow \\ \hline
% %TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
% \hline
% \end{tabular}
% \label{ampfmea}
% \end{table}
%
%
% Collecting the symptoms we can see that this amplifier fails
% in 3 ways $\{ AMPHigh, AMPLow, LowPass \}$.
% We can now create a derived component, $NI\_AMP$, to represent it.
% The FMMD reasoning process is represented in the DAG in figure~\ref{fig:noninvdag11}.
%
Looking first at the components in the signal path, we notice that we have a non-inverting
amplifier formed by R1,R2 and IC1. In fact, apart from being
inverted visually on the schematic, it is identical to the example
used in section~\ref{sec:noninvamp} (the first practical example used to demonstrate FMMD).
We thus re-use the {\dc} $NI\_AMP$ and can express the failure modes for it thus:
$$ fm(NI\_AMP) = \{ AMPHigh, AMPLow, LowPass \} .$$
%
%
% \begin{figure}[h+]
% \centering
% \begin{tikzpicture}[shorten >=1pt,->,draw=black!50, node distance=\layersep]
% \tikzstyle{every pin edge}=[<-,shorten <=1pt]
% \tikzstyle{fmmde}=[circle,fill=black!25,minimum size=30pt,inner sep=0pt]
% \tikzstyle{component}=[fmmde, fill=green!50];
% \tikzstyle{failure}=[fmmde, fill=red!50];
% \tikzstyle{symptom}=[fmmde, fill=blue!50];
% \tikzstyle{annot} = [text width=4em, text centered]
%
%
% \node[component] (OPAMP) at (0,-1.8) {$OPAMP$};
% \node[component] (R1) at (0,-6) {$R_1$};
% \node[component] (R2) at (0,-7.6) {$R_2$};
%
%
% \node[failure] (OPAMPLU) at (\layersep,-0) {l-up};
% \node[failure] (OPAMPLD) at (\layersep,-1.2) {l-dn};
% \node[failure] (OPAMPNP) at (\layersep,-2.5) {noop};
% \node[failure] (OPAMPLS) at (\layersep,-3.8) {lowslew};
%
% \node[failure] (R1SHORT) at (\layersep,-5.1) {$R1_{Sh}$};
% \node[failure] (R1OPEN) at (\layersep,-6.4) {$R1_{Op}$};
%
% \node[failure] (R2SHORT) at (\layersep,-7.7) {$R2_{Sh}$};
% \node[failure] (R2OPEN) at (\layersep,-9.0) {$R2_{Op}$};
%
% \path (OPAMP) edge (OPAMPLU);
% \path (OPAMP) edge (OPAMPLD);
% \path (OPAMP) edge (OPAMPNP);
% \path (OPAMP) edge (OPAMPLS);
%
% \path (R1) edge (R1SHORT);
% \path (R1) edge (R1OPEN);
%
% \path (R2) edge (R2SHORT);
% \path (R2) edge (R2OPEN);
%
%
% % Potential divider failure modes
% %
% \node[symptom] (PDHIGH) at (\layersep*2,-6) {$PD_{HIGH}$};
% \node[symptom] (PDLOW) at (\layersep*2,-7.6) {$PD_{LOW}$};
% \path (R1OPEN) edge (PDHIGH);
% \path (R2SHORT) edge (PDHIGH);
% \path (R2OPEN) edge (PDLOW);
% \path (R1SHORT) edge (PDLOW);
% \node[symptom] (AMPHIGH) at (\layersep*3.4,-3) {$AMP_{HIGH}$};
% \node[symptom] (AMPLOW) at (\layersep*3.4,-5) {$AMP_{LOW}$};
% \node[symptom] (AMPLP) at (\layersep*3.4,-7) {$LOWPASS$};
% \path (PDLOW) edge (AMPHIGH);
% \path (OPAMPLU) edge (AMPHIGH);
% \path (PDHIGH) edge (AMPLOW);
% \path (OPAMPNP) edge (AMPLOW);
% \path (OPAMPLD) edge (AMPLOW);
% \path (OPAMPLS) edge (AMPLP);
%
% \end{tikzpicture}
% % End of code
% \caption{Full DAG representing failure modes and symptoms of the Non Inverting Op-amp Circuit}
% \label{fig:noninvdag11}
% \end{figure}
\subsection{The second Stage of the amplifier}
The second stage of this amplifier, following the signal path, is the amplifier
consisting of $R3,R4$ and $IC2$.
%
This is in exactly the same configuration as the first amplifier, but it is being fed by the first amplifier.
The first amplifier was grounded and received as input `+V1' (presumably
a positive voltage).
This means the junction of R2 R3 is always +ve.
This means the input voltage `+V2' could be lower than this.
This means R3 R4 is not a fixed potential divider, with R4 being on the positive side.
It could be on either polarity (i.e. the other way around R4 could be the negative side).
Here it is more intuitive to model the resistors not as a potential divider, but individually.
%This means we are either going to
%get a high or low reading if R3 or R4 fail.
\begin{table}[ht]
\caption{Second Amplifier $SEC\_AMP$: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Amplifier} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symtom Description} \\
\textbf{Failure} & \textbf{$SEC\_AMP$} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Amplifier Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & AMPHigh \\
TC2: $OPAMP$ LatchDown & Output Low : Low gain & AMPLow \\
TC3: $OPAMP$ No Operation & Output Low & AMPLow \\
TC4: $OPAMP$ Low Slew & Low pass filtering & LowPass \\ \hline
TC5: $R3\_open$ & +V2 follower & AMPIncorrectOutput\\
TC6: $R3\_short$ & Undefined & AMPIncorrectOutput \\
& (impedance of IC1 vs +V2) & \\ \hline
TC5: $R4\_open$ & High or Low output & AMPIncorrectOutput \\
& +V2$>$+V1 $\mapsto$ High & \\
& +V1$>$+V2 $\mapsto$ Low & \\
TC6: $R4\_short$ & +V2 follower & AMPIncorrectOutput \\ \hline
%TC7: $R_2$ OPEN & LOW & & LowPD \\ \hline
\hline
\end{tabular}
\label{ampfmea}
\end{table}
Collecting the symptoms we can see that this amplifier fails
in four ways. %$\{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput\}$.
%We can now
We create a derived component, $SEC\_AMP$, to represent it
with failure modes described by:
$$ fm(SEC\_AMP) = \{ AMPHigh, AMPLow, LowPass, AMPIncorrectOutput \} .$$
%Its failure modes are therefore the same. We can therefore re-use
%the derived component for $NI\_AMP$
\pagebreak[4]
\subsection{Final stage of the $DiffAmp$ Analysis}
For the final stage we create a functional group consisting of
two derived components of the type $NI\_AMP$ and $SEC\_AMP$.
We apply FMMD analysis to this {\fg} in table~\ref{tbl:diffampfinal}.
%
\begin{table}[h+]
\label{tbl:diffampfinal}
\caption{Difference Amplifier $DiffAMP$ : Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
%\textbf{Test} & \textbf{Dual Amplifier} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{$DiffAMP$} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $NI\_AMP$ AMPHigh & IC2 output driven high & DiffAMPLow \\
TC2: $NI\_AMP$ AMPLow & IC2 output driven low & DiffAMPHigh \\
% Two test cases above, yes the voltage from the second op-amp will influence
% this, BUT we are considering single failure at the moment... 17NOV2012
TC3: $NI\_AMP$ LowPass & IC2 output with lag & DiffAMP\_LP \\ \hline
TC4: $SEC\_AMP$ AMPHigh & Diff amplifier high & DiffAMPHigh\\
TC5: $SEC\_AMP$ AMPLow & Diff amplifier low & DiffAMPLow \\
TC6: $SEC\_AMP$ LowPass & Diff amplifier lag/lowpass & DiffAMP\_LP \\
TC7: $SEC\_AMP$ IncorrectOutput & Output voltage is not & DiffAMPIncorrect \\
& proportional to $(V2 - V1)$ & \\ \hline
\hline
\end{tabular}
\label{tbl:ampfmea}
\end{table}
%
Collecting common symptoms of failure we determine the failure modes for this circuit.
%$\{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect \}$.
We create a derived component to represent the failure mode behaviour of the differencing amplifier circuit (see figure~\ref{fig:circuit1}).
$$ fm (DiffAMP) = \{DiffAMPLow, DiffAMPHigh, DiffAMP\_LP, DiffAMPIncorrect\} $$
We can represent the failure analysis performed as a directed graph (see figure~\ref{fig:circuit1_dag}).
%of the failure modes and derived components.
%
Using this we can trace any top level fault back to
a component failure mode that could have caused it\footnote{ In fact we can
re-construct an FTA diagram from the information in this graph.
We merely have to choose a top level event and work down using $XOR$ gates.}.
%
This circuit performs poorly from a safety point of view.
Its failure modes could be indistinguishable from valid readings (especially
when it becomes a V2 follower).
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{CH5_Examples/circuit1_dag.png}
% circuit1_dag.png: 797x1145 pixel, 72dpi, 28.12x40.39 cm, bb=0 0 797 1145
\caption{Directed Acyclic Graph of the two op-amp differencing amplifier failure modes}
\label{fig:circuit1_dag}
\end{figure}
The {\fm} $DiffAMPIncorrect$ may seem like a vague {\fm}---however, this {\fm} is impossible to detect in this circuit---
in fault finding terminology~\cite{garrett}~\cite{maikowski} this {\fm} is said to be unobservable, and in EN61508~\cite{en61508}
terminology is an `undetectable~fault'.
%
Were this failure to have safety implications, this FMMD analysis will have revealed
this un-observability condition; this would likely prompt re-design of this
circuit. A typical way to solve an un-observability such as this is
to periodically switch in test signals in place of the input signal.
%\footnote{A typical way to solve an un-observability such as this is
%to periodically switch in test signals in place of the input signal.}.
\subsection{Conclusion}
This example shows a three stages hierarchy, and a graph tracing the base~component failure modes to the
top level event. It also re-visits the decisions about membership of {\fgs}, due to the context
of the circuit raised in section~\ref{subsec:invamp2}.
\clearpage
\section{Five Pole Low Pass Filter, using two Sallen~Key stages.}
\label{sec:fivepolelp}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002.png}
% circuit2002.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Five Pole Low Pass Filter, using two Sallen~Key stages and three op-amps.
An example of FMMD applied to a multi-stage but linear signal path topology. }
\label{fig:circuit2}
\end{figure}
The circuit in figure~\ref{fig:circuit2} shows a five pole low pass filter.
Starting at the input, we have a first order low pass filter buffered by an op-amp,
the output of this is passed to a Sallen~Key~\cite{aoe}[p.267]~\cite{electronicssysapproach}[p.288] second order low-pass filter.
The output of this is passed into another Sallen~Key filter. % -- which although it may have different values
%for its resistors/capacitors and thus have a different frequency response -- is identical from a failure mode perspective.
Thus we can analyse the first Sallen~Key low pass filter and re-use it
for the second stage
(avoiding repeat work that would have had to be performed using traditional FMEA).
\begin{figure}[h]
\centering
\includegraphics[width=400pt,keepaspectratio=true]{CH5_Examples/blockdiagramcircuit2.png}
% blockdiagramcircuit2.png: 689x83 pixel, 72dpi, 24.31x2.93 cm, bb=0 0 689 83
\caption{Signal Flow through the five pole low pass filter}
\label{fig:blockdiagramcircuit2}
\end{figure}
\paragraph{First Order Low Pass Filter.}
\label{sec:lp}
We begin with the first order low pass filter formed by $R10$ and $C10$.
%
This configuration (or {\fg}) is very commonly
used %in electronics
to remove unwanted high frequencies/noise
from a signal. %; here it is being used as a first stage of a more sophisticated low pass filter.
%
R10 and C10 act as a potential divider, with the crucial difference between a purely resistive potential divider being
that the impedance of the capacitor is lower for higher frequencies.
%
Thus higher frequencies are attenuated at the point that we
read its output signal.
%
However, from a failure mode perspective we can analyse it in a very similar way
to a potential divider (see section~\ref{subsec:potdiv}).
Capacitors generally fail OPEN but some types fail OPEN and SHORT.
We will consider the worst case two failure mode model for this analysis.
We analyse the first order low pass filter in table~\ref{tbl:firstorderlpass}.\\
\begin{table}[h+]
\caption{FirstOrderLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firstorderlpass}
\begin{tabular}{|| l | c | l ||} \hline
%\textbf{Failure Scenario} & & \textbf{First Order} & & \textbf{Symptom} \\
% & & \textbf{Low Pass Filter} & & \\
\textbf{Failure} & \textbf{First Order} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Low Pass Filter} & \textbf{Failure Mode} \\
\hline
FS1: R10 SHORT & $No Filtering$ & $LPallpass$ \\ \hline
FS2: R10 OPEN & $No Signal$ & $LPnosignal$ \\ \hline
FS3: C10 SHORT & $No Signal$ & $LPnosignal$ \\ \hline
FS4: C10 OPEN & $No Filtering$ & $LPallpass$ \\ \hline
\hline
\end{tabular}
\end{table}
We collect the symptoms $\{ LPnofilter,LPnosignal \}$ and create a derived component
called $FirstOrderLP$. Applying the $fm$ function yields $$ fm(FirstOrderLP) = \{ LPnofilter,LPnosignal \}.$$
\paragraph{Addition of Buffer Amplifier: First stage.}
The op-amp IC1 is being used simply as a buffer. By placing it between the next stages
on the signal path, we remove the possibility of unwanted signal feedback.
The buffer is one of the simplest op-amp configurations.
It has no other components, and so we can now form a {\fg}
from the $FirstOrderLP$ and the OpAmp component.
\begin{table}[ht]
\caption{First Stage LP1: Failure Mode Effects Analysis: Single Faults} % title of Table
\label{tbl:firststage}
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{First stage LP1} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & LP1High \\
TC2: $OPAMP$ LatchDown & Output Low & LP1Low \\
TC3: $OPAMP$ No Operation & Output Low & LP1Low \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & LP1filterincorrect \\ \hline
TC5: $LPallpass $ & No low pass filtering & LP1filterincorrect \\
TC6: $LPnosignal $ & No input signal & LP1nosignal \\ \hline
\hline
\hline
\end{tabular}
\end{table}
From the table~\ref{tbl:firststage} we can see three symptoms of failure of
the first stage of this circuit (i.e. R10,C10,IC1).
We can create a derived component for it, lets call it $LP1$.
$$ fm(LP1) = \{ LP1High, LP1Low, LP1filterincorrect, LP1nosignal \} $$
In terms of the circuit, we have modelled the functional groups $FirstOrderLP$, and
$LP1$. We can represent these on the circuit diagram by drawing contours around the components
on the schematic as in figure~\ref{fig:circuit2002_LP1}.
\begin{figure}[h]
\centering
\includegraphics[width=200pt,keepaspectratio=true]{CH5_Examples/circuit2002_LP1.png}
% circuit2002_LP1.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Circuit showing functional groups modelled so far.}
\label{fig:circuit2002_LP1}
\end{figure}
\paragraph{Second order Sallen Key Low Pass Filter.}
The next two filters in the signal path are R1,R2,C2,C1,IC2 and R3,R4,C4,C3,IC3.
From a failure mode perspective these are identical.
We can analyse the first one and then re-use these results for the second (see figure~\ref{fig:circuit2002_FIVEPOLE}).
\begin{table}[ht]
\caption{Sallen Key Low Pass Filter SKLP: Failure Mode Effects Analysis: Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{SKLP} & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $OPAMP$ LatchUP & Output High & SKLPHigh \\
TC2: $OPAMP$ LatchDown & Output Low & SKLPLow \\
TC3: $OPAMP$ No Operation & Output Low & SKLPLow \\
TC4: $OPAMP$ Low Slew & Unwanted Low pass filtering & SKLPfilterIncorrect \\ \hline
TC5: R1 OPEN & No input signal & SKLPfilterIncorrect \\
TC6: R1 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC7: R2 OPEN & No input signal & SKLPnosignal \\
TC8: R2 SHORT & incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC9: C1 OPEN & reduced/incorrect low pass filtering & SKLPfilterIncorrect\\
TC10: C1 SHORT & reduced/incorrect low pass filtering & SKLPfilterIncorrect \\ \hline
TC11: C2 OPEN & reduced/incorrect low pass filtering & SKLPfilterIncorrect \\
TC12: C2 SHORT & No input signal, low signal & SKLPnosignal \\ \hline
\hline
\end{tabular}
\label{tbl:sallenkeylp}
\end{table}
We now can create a derived component to represent the Sallen Key low pass filter, which we can call $SKLP$.
$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
\paragraph{A failure mode model of Op-Amp Circuit 2.}
We now have {\dcs} representing the three stages of this filter
and this follows the signal flow in the filter circuit (see figure~\ref{fig:blockdiagramcircuit2}).
As the signal has to pass through each block/stage
in order to be `five~pole' filtered, we need to bring these three blocks together into a {\fg}
in order to get a failure mode model for the whole circuit.
We can index the Sallen Key stages, and these are marked on the circuit schematic in figure~\ref{fig:circuit2002_FIVEPOLE}.
\begin{figure}[h]+
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit2002_FIVEPOLE.png}
% circuit2002_FIVEPOLE.png: 575x331 pixel, 72dpi, 20.28x11.68 cm, bb=0 0 575 331
\caption{Functional Groups in Five Pole Low Pass Filter: shown as an Euler diagram super-imposed onto the electrical schematic.}
\label{fig:circuit2002_FIVEPOLE}
\end{figure}
\pagebreak[4]
So our final {\fg} will consist of the derived components $\{ LP1, SKLP_1, SKLP_2 \}$.
We represent the desired FMMD hierarchy in figure~\ref{fig:circuit2h}.
% HTR 20OCT2012 \begin{figure}[h]+
% HTR 20OCT2012 \centering
% HTR 20OCT2012 \includegraphics[width=300pt]{CH5_Examples/circuit2h.png}
% HTR 20OCT2012 % circuit2h.png: 676x603 pixel, 72dpi, 23.85x21.27 cm, bb=0 0 676 603
% HTR 20OCT2012 \caption{FMMD Hierarchy for five pole Low Pass Filter}
% HTR 20OCT2012 \label{fig:circuit2h}
% HTR 20OCT2012\end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulerfivepole.png}
% eulerfivepole.png: 883x343 pixel, 72dpi, 31.15x12.10 cm, bb=0 0 883 343
\caption{Euler diagram showing {\fg}/{\dc} relationships for the analysis of the Five Pole Sallen Key filter. This
is an abstract version of figure~\ref{fig:circuit2002_FIVEPOLE}}.
\label{fig:circuit2h}
\end{figure}
%\pagebreak[4]
%$$ fm ( SKLP ) = \{ SKLPHigh, SKLPLow, SKLPIncorrect, SKLPnosignal \} $$
%$$ fm(LP1) = \{ LP1High, LP1Low, LP1ExtraLowPass, LP1NoLowPass \} $$
\begin{table}[ht]+
\caption{Five Pole Low Pass Filter: Failure Mode Effects Analysis($FivePoleLP$): Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|l||}
\hline \hline
%\textbf{Test} & \textbf{Circuit} & \textbf{ } & \textbf{General} \\
%\textbf{Case} & \textbf{Effect} & \textbf{ } & \textbf{Symptom Description} \\
\textbf{Failure} & \textbf{$FivePoleLP$ } & \textbf{Derived Component} \\
\textbf{cause} & \textbf{Effect} & \textbf{Failure Mode} \\
% R & wire & res + & res - & description
\hline
\hline
TC1: $LP1$ LP1High & signal HIGH & HIGH \\
TC2: $LP1$ SKLPLow & signal LOW & LOW \\
TC3: $LP1$ LP1filterIncorrect & filtering incorrect & FilterIncorrect \\
TC4: $LP1$ LP1nosignal & no signal propagated & NO\_SIGNAL \\ \hline
TC5: $SKLP_1$ High & signal HIGH & HIGH \\
TC6: $SKLP_1$ Low & signal LOW & LOW \\
TC7: $SKLP_1$ filterIncorrect & filtering incorrect & FilterIncorrect \\
TC8: $SKLP_1$ nosignal & no signal propagated & NO\_SIGNAL \\ \hline
TC9: $SKLP_2$ High & signal HIGH & HIGH \\
TC10: $SKLP_2$ Low & signal LOW & LOW \\
TC11: $SKLP_2$ filterIncorrect & filtering incorrect & FilterIncorrect \\
TC12: $SKLP_2$ nosignal & no signal propagated & NO\_SIGNAL \\ \hline
\hline
\hline
\end{tabular}
\label{tbl:fivepole}
\end{table}
We now can create a {\dc} to represent the circuit in figure~\ref{fig:circuit2}, we call this
$FivePoleLP$: applying the $fm$ function (see table~\ref{tbl:fivepole})
yields $fm(FivePoleLP) = \{ HIGH, LOW, FilterIncorrect, NO\_SIGNAL \}$.
%\pagebreak[4]
The failure modes for the low pass filters are very similar, and the propagation of the signal
is simple (as it is never inverted). The circuit under analysis is -- as shown in the block diagram (see figure~\ref{fig:blockdiagramcircuit2}) --
three op-amp driven non-inverting low pass filter elements. It is not surprising therefore that they have very similar failure modes.
From a safety point of view, the failure modes $LOW$, $HIGH$ and $NO\_SIGNAL$
could be easily detected; the failure symptom $FilterIncorrect$ may be less observable.
\subsection{Conclusion}
This example shows the analysis of a linear signal path circuit with three easily identifiable
{\fgs} and re-use of the Sallen-Key {\dc}.
\clearpage
%
% BUBBAOSC
%
\section{Quad Op-Amp Oscillator}
\label{sec:bubba}
\begin{figure}[h]
\centering
\includegraphics[width=200pt]{CH5_Examples/circuit3003.png}
% circuit3003.png: 503x326 pixel, 72dpi, 17.74x11.50 cm, bb=0 0 503 326
\caption{Circuit diagram for the Quad Op-Amp `Bubba' Oscillator}
\label{fig:circuit3}
\end{figure}
%\clearpage
%\section{Standard Non-inverting OP AMP}
This circuit is described in the Analog Applications Journal~\cite{bubba}[p.37].
The circuit implements an oscillator using four 45 degree phase shifts, and an inverting amplifier to provide
gain and the final 180 degrees of phase shift (making a total of 360). % degrees of phase shift).
The circuit provides two outputs with a quadrature phase relationship.
%
From a fault finding perspective this circuit cannot be decomposed,
as the whole circuit is enclosed within a feedback loop,
hence a fault anywhere in the loop is likely to affect all stages.
%
However, this is not a problem for FMMD, as {\fgs} are readily identifiable.
%
%The signal path is circular (its a positive feedback circuit) and most failures would simply cause the output to stop oscillating.
%The top level failure modes for the FMMD hierarchy bear this out.
%However, FMMD is a bottom -up analysis methodology and we can therefore still identify
%{\fgs} and apply analysis from a failure mode perspective.
%
% METRICS If we were to analyse this circuit using traditional FMEA (i.e. without modularisation) we observe 14 components with
% METRICS ($4.4 +10 \times 2 = 36$) failure modes. Applying equation~\ref{eqn:rd2} gives a complexity comparison figure of $13.36=468$.
% METRICS We now create FMMD models and compare the complexity of FMMD and FMEA.
%
%We start the FMMD process by determining {\fgs}.
We initially identify three types of functional groups, an inverting amplifier (analysed in section~\ref{fig:invamp}),
a 45 degree phase shifter (a {$10k\Omega$} resistor and a $10nF$ capacitor) and a non-inverting buffer
amplifier. We can name these $INVAMP$, $PHS45$ and $NIBUFF$ respectively.
We can use these {\fgs} to describe the circuit in block diagram form with arrows indicating the signal path, in figure~\ref{fig:bubbablock}.
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/bubba_oscillator_block_diagram.png}
% bubba_oscillator_block_diagram.png: 720x295 pixel, 72dpi, 25.40x10.41 cm, bb=0 0 720 295
\caption{Circuit 3: Electrical signal path block diagram of the `Bubba' oscillator, showing the circular circuit topology.}
\label{fig:bubbablock}
\end{figure}
We can now analyse each of these {\fgs} and create failure mode models for them, and from these
determine {\dcs}.
\subsection{Inverting Amplifier: INVAMP}
This has been analysed in section~\ref{sec:invamp}.
The inverting amplifier, as a {\dc}, has the following failure modes:
$$ fm(INVAMP) = \{ AMP\_High, AMP\_Low, LowPass \}. $$ % \{ HIGH, LOW, LOW PASS \}. $$
% METRICS and has a CC of 10.
\subsection{Phase shifter: PHS45}
This consists of a resistor and a capacitor. We already have failure mode models for these components -- $ fm(R) = \{OPEN, SHORT\}$, $fm(C) = \{OPEN, SHORT\}$ --
we now need to see how these failure modes would affect the phase shifter. Note that the circuit here
is identical to the low pass filter in circuit topology (see section~\ref{sec:lp}), but its intended use is different.
We have to analyse this circuit from the perspective of it being a {\em phase~shifter} not a {\em low~pass~filter}.
Our functional group for the phase shifter consists of a resistor and a capacitor, $G_0 = \{ R, C \}$
(FMMD analysis details at section~\ref{detail:PHS45})
$$ fm (G_0) = \{ nosignal, 0\_phaseshift \} $$
%$$ CC(G_0) = 4 \times 1 = 4 $$
%23SEP2012
\subsection{Non Inverting Buffer: NIBUFF.}
The non-inverting buffer {\fg}, is comprised of one component, an op-amp.
We use the failure modes for an op-amp~\cite{fmd91}[p.3-116] to represent this group.
% GARK
We can express the failure modes for the non-inverting buffer ($NIBUFF$) thus:
$$ fm(NIBUFF) = fm(OPAMP) = \{L\_{up}, L\_{dn}, Noop, L\_slew \} . $$
%Because we obtain the failure modes for $NIBUFF$ from the literature,
%its comparison complexity is zero. In re-using {\dcs} we expend no extra analysis effort.
%$$ CC(NIBUFF) = 0 $$
%\subsection{Forming a functional group from the PHS45 and NIBUFF.}
% describe what we are doing, a buffered 45 degree phase shift element
\subsection{Bringing the functional Groups Together: FMMD model of the `Bubba' Oscillator.}
We could at this point bring all the {\dcs} together into one large functional
group (see figure~\ref{fig:bubbaeuler1}) %{fig:poss1finalbubba})
or we could try to merge smaller stages.
Initially we use the first identified {\fgs} to create our model without further stages of refinement/hierarchy.
\subsection{FMMD Analysis using initially identified functional groups}
\label{sec:bubba1}
Our {\fg} for this analysis can be expressed thus:
%
%$$ G^1_0 = \{ PHS45^1_1, NIBUFF^0_1, PHS45^1_2, NIBUFF^0_2, PHS45^1_3, NIBUFF^0_3 PHS45^1_4, INVAMP^1_0 \} ,$$
$$ G = \{ PHS45, NIBUFF, PHS45, NIBUFF, PHS45, NIBUFF PHS45, INVAMP \} ,$$
or in Euler diagram format as in figure~\ref{fig:bubbaeuler1}.
% HTR 23SEP2012 \begin{figure}[h+]
% HTR 23SEP2012 \centering
% HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss1finalbubba.png}
% HTR 23SEP2012 % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
% HTR 23SEP2012 \caption{Bubba Oscillator: One large functional group using the initial functional groups to model oscillator.}
% HTR 23SEP2012 \label{fig:poss1finalbubba}
% HTR 23SEP2012 \end{figure}
%
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/bubba_euler_1.png}
% bubba_euler_1.png: 946x404 pixel, 72dpi, 33.37x14.25 cm, bb=0 0 946 404
\caption{Euler diagram showing the hierarchy of the initial FMMD analysis performed on the Bubba Oscillator circuit.}
\label{fig:bubbaeuler1}
\end{figure}
%
The detail of the FMMD analysis can be found in section~\ref{detail:BUBOSC1}.
Applying $fm$ to the Bubba oscillator
returns two failure modes,
%
$$ fm(BubbaOscillator) = \{ NO_{osc}, HI_{fosc}\} . $$ %, LO_{fosc} \} . $$
%
%For the final stage of this FMMD model, we can calculate the complexity using equation~\ref{eqn:rd2}.
%$$ CC = 28 \times 8 = 224$$
%
%To obtain the total comparison complexity ($TCC$), we need to add the complexity from the
%{\dcs} that $BubbaOscillator$ was built from.
%
%$$ TCC = 28 \times 8 + 4 \times 4 + 4 \times 0 + 10 = 250$$
%
%As we have re-used the analysis for BUFF45 we could even reasonably remove
%$3 \times 4=12$ from this result, because the results from $BUFF45$ have been used four times.
%Traditional FMEA would have lead us to a much higher comparison complexity
%of $468$ failure modes to check against components.
%However,
The analysis here appears top-heavy; we should be able to refine the model more
and break this down into smaller functional groups by allowing more stages of hierarchy.
%and hopefully
%this should lead a further reduction in the complexity comparison figure.
By decreasing the size of the modules with further refinement,
we may also discover new derived components that may be of use for other analyses in the future.
\clearpage
\subsection{FMMD Analysis of Bubba Oscillator using a finer grained modular approach (i.e. more hierarchical stages)}
\label{sec:bubba2}
The example above---from the initial {\fgs}---used one very large functional group to model the circuit.
%This mean a quite large comparison complexity for this final stage.
We should be able to determine smaller {\fgs} and refine the model further.
% HTR 23SEP2012 \begin{figure}[h+]
% HTR 23SEP2012 \centering
% HTR 23SEP2012 \includegraphics[width=300pt,keepaspectratio=true]{CH5_Examples/poss2finalbubba.png}
% HTR 23SEP2012 % largeosc.png: 916x390 pixel, 72dpi, 32.31x13.76 cm, bb=0 0 916 390
% HTR 23SEP2012 \caption{Bubba Oscillator: Smaller Functional Groups, One more FMMD hierarchy stage.}
% HTR 23SEP2012 \label{fig:poss2finalbubba}
% HTR 23SEP2012 \end{figure}
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/bubba_euler_2.png}
% bubba_euler_2.png: 1241x617 pixel, 72dpi, 43.78x21.77 cm, bb=0 0 1241 617
\caption{Euler diagram showing functional groupings for the Bubba oscillator using a more de-composed approach.}
\label{fig:bubbaeuler2}
\end{figure}
\paragraph{Outline of finer grained FMMD analysis of the Bubba oscillator}
%
We use the pre-analysed $NIBUFF$ and $PHS45$
{\dcs} to form a {\fg}, analysed in table~\ref{tbl:buff45}, giving the
{\dc} $BUFF45$.
%
Thus, $BUFF45$ is a {\dc} representing an actively buffered $45^{\circ}$ phase shifter.
%
From the block circuit diagram (figure~\ref{fig:circuit3}), we see that there are three
$45^{\circ}$ phase shifter circuits in series. Together these apply a $135^{\circ}$ phase shift to the signal.
%
We use this property to model a higher level {\dc}, that of a $135^{\circ}$ phase shifter.
%
The three $BUFF45$ {\dcs} form a
functional group which is analysed in table~\ref{tbl:phs135buffered}.
The result of this analysis is the {\dc}
$PHS135BUFFERED$ which represents an actively buffered $135^{\circ}$ phase shifter.
%
\paragraph{Analysis details of the finer grained FMMD analysis of the Bubba oscillator}
A PHS45 {\dc} and an inverting amplifier\footnote{Inverting amplifiers apply a $180^{\circ}$ phase shift to a signal regardless of its frequency.},
form a {\fg}
providing an amplified $225^{\circ}$ phase shift, analysed in table~\ref{tbl:phs225amp}
resulting in the {\dc} $PHS225AMP$.
Applying FMMD we create a derived component $PHS225AMP$ which has the following failure modes:
$$
fm (PHS225AMP) = \{ 180\_phaseshift, NO\_signal .\} % 270\_phaseshift,
$$
%
%---with the remaining $PHS45$ and the $INVAMP$ (re-used from section~\ref{sec:invamp})in a second group $PHS225AMP$---
Finally we form a final {\fg} with $PHS135BUFFERED$ and $PHS225AMP$.
%in a final stage (see figure~{fig:bubbaeuler2}) % \ref{fig:poss2finalbubba})
%
%We can take a more modular approach by creating two intermediate functional groups, a buffered $45^{\circ}$ phase shifter (BUFF45)
%we can combine three $BUFF45$'s to make
%a $135^{\circ}$ buffer phase shifter (PHS135BUFFERED).
%
%We can combine a $PHS45$ and a $NIBUFF$ to create
%and an amplifying $225^{\circ}$ phase shifter (PHS225AMP).
%
% By combining PHS225AMP and PHS135BUFFERED we can create a more modularised hierarchical
% model of the bubba oscillator.
% The proposed hierarchy is shown in figure~\ref{fig:poss2finalbubba}.
%
%
%
We analyse this {\fg} (see section~\ref{detail:BUFF45}) and create a derived component, $BUFF45$ which has the following failure modes:
$$
fm (BUFF45) = \{ 0\_phaseshift, NO\_signal \} .% 90\_phaseshift,
$$
%
%$$ CC(BUFF45) = 7 \times 1 = 7 $$
%
Three $BUFF45$ {\dcs} form a {\fg}, and after FMMD analysis
we create a $PHS135BUFFERED$ {\dc}. The FMMD analysis may be viewed at section~\ref{detail:PHS135BUFFERED}. %
%
%
%
%$$ CC (PHS135BUFFERED) = 3 \times 2 = 6 $$
%
%
%
The $PHS225AMP$ consists of a $PHS45$, providing $45^{\circ}$ of phase shift, and an
$INVAMP$, providing $180^{\circ}$ giving a total of $225^{\circ}$.
Detailed FMMD analysis may be found in section~\ref{detail:PHS225AMP}.
%
%
%$$ CC(PHS225AMP) = 7 \times 1 $$
%
The $PHS225AMP$ consists of a $PHS45$ and an $INVAMP$ (which provides $180^{\circ}$ of phase shift).
%
%
%
To complete the analysis we now bring the derived components $PHS135BUFFERED$ and $PHS225AMP$ together
and perform FMEA with these (see section~\ref{detail:BUBBAOSC}), to obtain a model for the Bubba Oscillator.
%Collecting symptoms from table~\ref{tbl:bubba2}, we can create a derived component $BUBBAOSC$ which has the following failure modes:
$$
fm (BUBBAOSC) = \{ HI_{osc}, NO\_signal .\} % LO_{fosc},
$$
%
%We could trace the DAGs here and ensure that both analysis strategies worked ok.....
%
%$$ CC(BUBBAOSC) = 6 \times (2-1) = 6 $$
%
%
% We can now add the comparison complexities for all levels of the analysis represented in figure~\ref{fig:poss2finalbubba}.
% We have at the lowest level two $PHS45$ {\dcs} giving a CC of 8 and $INVAMP$ with a CC of 10,
% at the next level four $BUFF45$ {\dcs} giving $(4-1).7=21$,
% and penultimately $PHS135BUFFERED$ with 6 and $PHS225AMP$ with 7.
% The final top stage of the hierarchy, $BUBBAOSC$ has a CC of 6.
% Our total comparison complexity is $58$, this contrasts with $468$ for traditional `flat' FMEA,
% and $250$ for our first stage functional groups analysis.
% This has meant a drastic reduction in the number of failure-modes to check against components.
%It has %also
This more de-composed approach has
given us five {\dcs}, building blocks, which could %
be re-used in other projects.
%potentially be re-used for similar circuitry
%to analyse in the future.
%
%
\subsection{Comparing both approaches}
%
%In general with large functional groups the comparison complexity
%is higher, by an order of $O(N^2)$.
Smaller functional groups signify less by-hand checks and
a more finely grained model.
This means that
there would be more {\dcs} and therefore increases the potential for re-use of pre-analysed {\dcs}.
A finer grained model---with potentially more hierarchy stages---conveys that more
work, or reasoning has been used in the analysis.
% HTR The more we can modularise, the more we decimate the $O(N^2)$ effect
% HTR of complexity comparison.
%
\subsection{Conclusion}
With FMMD there is always a choice for the membership of {\fgs}.
This example has shown that the simple approach, identifying
initial {\fgs} and using them to build a large {\fg} to model the circuit
gives a valid result.
However, it involves a large reasoning distance, the final stage
having 24 failure modes to consider against each of the other seven {\dcs}.
A finer grained approach produces more potentially re-usable {\dcs} and
involves several stages with lower reasoning distances.
The lower reasoning distances, or complexity comparision figures are given in the metrics chapter~\ref{sec:chap7}
at section~\ref{sec:bubbaCC}.
\clearpage
\section{Sigma Delta Analogue to Digital Converter (\sd).} %($\Sigma \Delta ADC$)}
\label{sec:sigmadelta}
The following example is used to demonstrate FMMD analysis of a mixed analogue and digital circuit (see figure~\ref{fig:sigmadelta}).
\begin{figure}[h]
\centering
\includegraphics[width=300pt]{./CH5_Examples/circuit4004.png}
% circuit4004.png: 562x389 pixel, 72dpi, 19.83x13.72 cm, bb=0 0 562 389
\caption{Sigma Delta Analogue to Digital Converter}
\label{fig:sigmadelta}
\end{figure}
%
\nocite{f77}
\nocite{sccs}
\nocite{electronicssysapproach}
%
\begin{figure}[h]
\centering
\includegraphics[width=300pt,keepaspectratio=true]{./CH5_Examples/sigma_delta_block.png}
% sigma_delta_block.png: 828x367 pixel, 72dpi, 29.21x12.95 cm, bb=0 0 828 367
\caption{Electrical signal path Block diagram: \sd} % Analogue to Digital Converter }
\label{fig:sigmadeltablock}
\end{figure}
\paragraph{How the circuit works.}
A detailed description of {\sd} may be found in~\cite{mixedsignaldsp}[pp.69-80].
The diagram in~\ref{fig:sigmadeltablock} shows the signal path used
by this configuration for a \sd.
%
It works by placing the analogue voltage to be read into
a mixed analogue and digital feedback circuit.
%
A summing junction and integrator is used to compare the negative feedback
signal with the input.
%
The output of the integrator is converted to a digital level (by IC2)
%digitally cleaned-up by IC2 (i.e. output is TRUE or FALSE for digital logic)
%which acts as a comparator,
and fed to the D type flip flop.
%
%
%
The output of the flip flop is routed to the digital output and to the feedback loop.
It must be level converted, i.e. from digital logic voltage levels to analogue levels, before being fed to the analogue feedback.
It is level converted to an analogue signal by IC3---i.e. a digital 0 becomes a -ve voltage and a digital 1 becomes a +ve voltage---
and fed into the summing integrator completing the negative feedback loop.
%
In essence this implements an over-sampling one bit analogue to digital converter~\cite{ehb}[pp.729-730].
The output of the flip flop forms a bit pattern representing the value
of the input voltage (i.e. the value of the sum of 1's and 0's is proportional to the voltage value at the input).
\subsection{FMMD analysis of \sd }
%The partslist for the \sd :
%
%$$\{ IC1, IC2, IC3, IC4, R1, R2, R3, R4, C1 \} $$.
%
The parts for the \sd are a mixture of analogue (resistors, capacitors, OpAmps) and digital
(D type flip flop, and a digital clock). We examine the failure modes of all components in this circuit below.
%
IC1,IC2 and IC3 are all OpAmps and we have failure modes for this component type
from section~\ref{sec:opamp_fms}.
%
$$ fm(OPAMP) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} $$
%
We examine the literature for a failure model for the D-type flip flop~\cite{fmd91}[3-105], for example the CD4013B~\cite{cd4013},
and obtain its failure modes, which we can express using the $fm$ function:
%%
$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
%
The resistors and capacitor failure modes we take from EN298~\cite{en298}[An.A].
We express the failure modes for the resistors (R) and Capacitors (C) thus:
%
$$ fm ( R ) = \{OPEN, SHORT\},$$
%
$$ fm ( C ) = \{OPEN, SHORT\}. $$
%
We are also given a CLOCK. For the purpose of example we shall attribute
one failure mode to this, that it might stop.
We express the failure modes of the CLOCK, thus:
%
$$ fm ( CLOCK ) = \{ STOPPED \}. $$
\subsection{Identifying initial {\fgs}}
\subsubsection{Summing Junction Integrator (SUMJINT)}
We next choose {\fgs}. The most obvious way to find initial {\fgs} is
to follow the signal path. The signal path is circular, but we can start
with the input voltage, which is applied via $R2$, we term this voltage $V_{in}$.
%
The feedback voltage for the ADC is supplied via $R1$, we term this voltage as $V_{fb}$.
%The input voltage is supplied via $R2$ and we term this voltage as $V_{in}$.
$R2$ and $R1$ form a summing junction to IC1: they balance the integrator provided
by the capacitor C1 and the opamp IC1.
This can be our first {\fg} and we analyse it in table~\ref{tbl:sumjint}.
%For the symptoms, we have to think in terms of the effect
%on its performance as a summing junction and not be
%distracted by the integrator formed by $C_1$ and $IC1$.
%
$$FG = \{R1, R2, IC1, C1 \}$$
That is the failure modes (see FMMD analysis at~\ref{detail:SUMJINT})of our new {\dc}
$SUMJINT$ are $$\{ V_{in} DOM, V_{fb} DOM, NO\_INTEGRATION, HIGH, LOW \} .$$
%\clearpage
\subsubsection{High Impedance Signal Buffer (HISB)}
Next in the signal path (see figure~\ref{fig:sigmadeltablock}) is a signal buffer.
This presents a high impedance to the circuit driving it.
This prevents electrical loading, and thus interference with, the SUMJINT stage.
This is simply an op-amp
with the input connected to the +ve input and the -ve input grounded.
It therefore has the failure modes of an Op-amp.
%
% \end{tabular}
% \end{table}
This is an OpAmp in a signal buffer configuration.
As it is performing one particular function
we may consider it as a derived component, that of a High Impedance Signal Buffer (HISB).
This is analysed using FMMD in section~\ref{detail:HISB}.
%
We create the {\dc} $HISB$ and its failure modes may be stated as $$fm(HISB) = \{HIGH, LOW, NOOP, LOW_{SLEW} \}.$$
\subsubsection{Digital level to analogue level conversion ($DL2AL$).}
The integrator is implemented in digital electronics, but the output from the D type flip flop is a digital signal.
A conversion stage is required to interface these stages.
Digital level to analogue level conversion is performed by IC3 in conjunction with a potential divider formed by R3,R4.
The potential divider provides a mid rail reference voltage
to the inverting input of IC3.
\paragraph{Potential divider formed by R3,R4.}
We re-use the analysis from table~\ref{tbl:pdfmea}, and use the derived component $PD$
to represent the potential divider formed by R3 and R4.
%Because PD is a derived component, we can denote this
%by super-scripting it with its abstraction level of 1, thus $PD$.
$$
fm(PD) = \{ HIGH, LOW \}.
$$
%
IC3 is an op-amp and has the failure modes
$$fm(IC3) = \{ HIGH, LOW, NOOP, LOW\_SLEW \} . $$
%
The digital signal is supplied to the non-inverting input.
The output is a voltage level in the analogue domain $-V$ or $+V$.
%
We now form a {\fg} from $PD $ and $IC3$.
%
$$ FG = \{ PD , IC3 \} $$
%
We now analyse this {\fg} (see section~\ref{detail:DL2AL}).
$$ fm (DL2AL) = \{ LOW, HIGH, LOW\_{SLEW} \} $$
%\clearpage
\subsubsection{$DIGBUF$ --- digital clocked memory (flip-flop).}
%
% This is a single component as a {\fg}, and we can state
% $$ fm (DCM) = \{ HIGH, LOW, NOOP \} $$
The digital element of the {\sd}, is a `one~bit~memory', or D type flip flop. This
buffers the feedback result and provides the output bit stream.
We create a {\fg} from the CLOCK and IC4 to model this digital buffer.
$$FG = \{ IC4, CLOCK \}$$
%% DIGBUF --- Digital Buffer
We now analyse this {\fg} (see section~\ref{detail:DIGBUF}).
%in table~\ref{tbl:digbuf}.
We can now derive a new component to represent the digital buffer and call it $DIGBUF$.
$$ fm (DIGBUF) = \{ LOW, STOPPED \} $$
%%% END DIGBUF
\subsection{First {\fgs} analysed}
We have analysed the initial {\fgs} and
have created our first {\dcs}. %and can now take stock of the situation
%and see what is now required.
%Figure~\ref{fig:sigdel1} shows which {\fgs} we have analysed so far.
%hierarchy has been built.
These are:
\begin{itemize}
\item SUMJINT --- A summing junction and integrator,
\item HISB --- A high impedance buffer,
\item DIGITALBUFF --- A one bit digital buffer,
\item DL2AL --- A digital to analog level converter,
\item DIGBUF --- A digital one bit buffer/memory.
\end{itemize}
These {\dcs} follow the signal path shown in figure~\ref{fig:sigmadeltablock}.
We now use these {\dcs} to create higher level {\fgs}.
%to represent the failure mode
%behaviour of the $\Sigma \Delta ADC$.
We represent this
in the Euler diagram in figure~\ref{fig:eulersd}.
The next stage is to create {\fgs} from these initial {\dcs}
and make a complete failure mode for the {\sd}.
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulersd.png}
% eulersd.png: 1018x334 pixel, 72dpi, 35.91x11.78 cm, bb=0 0 1018 334
\caption{Euler diagram showing the initial {\dcs} used to model the $\Sigma \Delta ADC$}
\label{fig:eulersd}
\end{figure}
%
% \begin{figure}[h+]
% \centering
% \includegraphics[width=400pt]{./CH5_Examples/sigdel1.png}
% % sigdel1.png: 766x618 pixel, 72dpi, 27.02x21.80 cm, bb=0 0 766 618
% \caption{First stage of FMMD analysis: Sigma delta Converter}
% \label{fig:sigdel1}
% \end{figure}
%\clearpage
\subsubsection{Buffered Integrating Summing Junction (BISJ): {\fg} of $HISB$ and $SUMJINT$}
We now form a {\fg} with the two derived components $HISB$ and $SUMJINT$.
This forms a buffered integrating summing junction. We analyse this using FMMD
(see section~\ref{detail:BISJ}).
%which we analyse in table~\ref{tbl:BISJ}.
We define this {\fg} thus:
$ FG = \{ HISB, SUMJINT \} .$
%
Using the $fm$ function we define the failure modes of
our derived component BISJ thus:
%
$$ fm(BISJ) = \{ OUTPUT STUCK , REDUCED\_INTEGRATION \} . $$
\subsubsection{Flip Flop Buffer (FFB): {\fg} of $DL2AL$ and $DIGBUF$}
%$$ fm (DL2AL^2) = \{ LOW, HIGH, LOW\_SLEW \} $$
%$$ fm ( CD4013B) = \{ HIGH, LOW, NOOP \} $$
The functional group formed by $DIGBUF$ and $DL2AL$ takes the flip flop clocked and buffered
value, and outputs it at analogue voltage levels for the summing junction.
$ FG = \{ DIGBUF, DL2AL \} $
We analyse the buffered flip flop circuitry
and create a {\dc} $FFB$,
where $$fm (FFB) = \{OUTPUT STUCK, LOW\_SLEW\}$$.
%\clearpage
\subsection{Final, top level {\fg} for sigma delta Converter}
We now have two {\dcs}, $FFB$ and $BISJ$.
These together represent all base components within this circuit.
We form a final functional group with these:
$$ FG = \{ FFB , BISJ \} .$$
We analyse the buffered {\sd} circuit using FMMD (see section~\ref{detail:SDADC}).
%in table~\ref{tbl:sdadc}.
%
% FFB^3 $\{OUTPUT STUCK, LOW\_SLEW\}$
% BISJ^2 $\{ OUTPUT STUCK , REDUCED\_INTEGRATION \}$
%
We now have a {\dc} $SDADC$ which provides a failure mode model for the \sd.
$$fm(SSDADC) = \{OUTPUT\_OUT\_OF\_RANGE, OUTPUT\_INCORRECT\}$$
We now show the final {\dc} hierarchy in figure~\ref{fig:eulersdfinal}.
\begin{figure}[h]
\centering
\includegraphics[width=400pt]{./CH5_Examples/eulersdfinal.png}
% eulersd.png: 1018x334 pixel, 72dpi, 35.91x11.78 cm, bb=0 0 1018 334
\caption{Euler diagram showing the final {\dcs} used to model the $\Sigma \Delta ADC$}
\label{fig:eulersdfinal}
\end{figure}
% \begin{figure}[h]
% \centering
% \includegraphics[width=400pt]{./CH5_Examples/sdadc.png}
% % sdadc.png: 886x1134 pixel, 72dpi, 31.26x40.01 cm, bb=0 0 886 1134
% \caption{FMMD Analysis hierarchy for the {\sd}}
% \label{fig:sdadc}
% \end{figure}
\clearpage
% ]
% into
%
% A summing integrator
% adds the voltage input to the feedback signal.
% The digital circuitry tries to
% apply a voltage to the integrator that will
% produce a zero output... doh this is difficult to describe.
% %
% The input voltage is summed with the feedback from the circuit
% and is fed into a comparator (IC2) that will output a plus or minus.
% This is fed into the input (D) of a DQ flip flop.
% This digitally buffers the output from the comparator.
% The output from the from the DQ flkip flop is a digital representation
% of the input voltage.
% The output from the DQ is sent to the digital comparator formed by R3,R4
% and IC3.
% The output from this is sent to the summing integrator as the signal summed with the input.
\subsection{conclusion}
The \sd example, shows that FMMD can be applied to mixed digital and analogue circuitry.
%\clearpage
\section{Pt100 Analysis: FMMD and Double Failure Mode Analysis}
\label{sec:Pt100}
{
%This section
% shows a practical example of
% one `symptom~abstraction' stage in the FMMD process.
% We take a functional group of base components,
% and using their failure modes, analyse the circuit
% to find failure symptoms.
% These failure symptoms are used to define
% a derived component.
%
%demonstrates FMMDs ability to model multiple simultaneous {\fms}, and shows
%how statistics for part {\fms} can be used to determine the statistical likelihood of failure symptoms.
%%
%% STATS MOVED TO FUTURE WORK
%%
For this example we look at an industry standard temperature measurement circuit,
the Pt100. The four wire Pt100 configuration commonly used well known safety critical circuit.
Applying FMMD lets us look at this circuit in a fresh light.
we analyse this for both single and double failures,
in addition it demonstrates FMMD coping with component parameter tolerances.
The circuit is described traditionally and then analysed using the FMMD methodology.
%A derived component, representing this circuit is then presented.
The Pt100, or platinum wire \ohms{100} sensor is
a widely used industrial temperature sensor that is
slowly replacing the use of thermocouples in many
industrial applications below 600\oc, due to high accuracy\cite{aoe}.
%
%This section looks at the most common configuration, the
%four wire circuit, and analyses it from an FMEA perspective twice.
FMMD is performed twice on this circuit
firstly considering single faults only
%(cardinality constrained powerset of 1)
and again, considering the
possibility of double faults. % (cardinality constrained powerset of 2).
%
% \ifthenelse {\boolean{pld}}
% {
% The section is performed using Propositional Logic
% diagrams to assist the reasoning process.
% }
% {
% }
%
% This chapter describes taking
% the failure modes of the components, analysing the circuit using FMEA
% and producing a failure mode model for the circuit as a whole.
% Thus after the analysis the $Pt100$ temperature sensing circuit, may be viewed
% from an FMEA perspective as a component itself, with a set of known failure modes.
% }
%
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 714 180,keepaspectratio=true]{./CH5_Examples/pt100.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 four wire circuit}
\label{fig:Pt100}
\end{figure}
\subsection{General Description of Pt100 four wire circuit}
The Pt100 four wire circuit uses two wires to supply a small electrical current,
and returns two sense voltages by the other two.
By measuring voltages
from sections of this circuit forming potential dividers, we can determine the
resistance of the platinum wire sensor. The resistance
of this is directly related to temperature, and may be determined by
look-up tables or a suitable polynomial expression.
%
%
\begin{figure}[h]
\centering
\includegraphics[width=150pt,bb=0 0 273 483,keepaspectratio=true]{./CH5_Examples/vrange.png}
% Pt100.jpg: 714x180 pixel, 72dpi, 25.19x6.35 cm, bb=0 0 714 180
\caption{Pt100 expected voltage ranges}
\label{fig:Pt100vrange}
\end{figure}
%
%
The voltage ranges we expect from this three stage potential divider\footnote{
two stages are required for validation, a third stage is used to measure the current flowing
through the circuit to obtain accurate temperature readings}
are shown in figure \ref{fig:Pt100vrange}. Note that there is
an expected range for each reading, for a given temperature span.
Note that the low reading goes down as temperature increases, and the higher reading goes up.
For this reason the low reading will be referred to as {\em sense-}
and the higher as {\em sense+}.
\paragraph{Accuracy despite variable resistance in cables}
For electronic and accuracy reasons, a four wire circuit is preferred
because of resistance in the cables. Resistance from the supply
causes a slight voltage
drop in the supply to the $Pt100$. As no significant current
is carried by the two `sense' lines, the resistance back to the ADC
causes only a negligible voltage drop, and thus the four wire
configuration is more accurate\footnote{The increased accuracy is because the voltage measured, is the voltage across
the thermistor only and not the voltage across the thermistor and current supply wire resistance.}.
\paragraph{Calculating Temperature from the sense line voltages}
The current flowing though the
whole circuit can be measured on the PCB by reading a third
sense voltage from one of the load resistors. Knowing the current flowing
through the circuit
and knowing the voltage drop over the $Pt100$, we can calculate its
resistance by Ohms law $V=I.R$, $R=\frac{V}{I}$.
Thus a little loss of supply current due to resistance in the cables
does not impinge on accuracy.
The resistance to temperature conversion is achieved
through the published $Pt100$ tables\cite{eurothermtables}.
The standard voltage divider equations (see figure \ref{fig:vd} and
equation \ref{eqn:vd}) can be used to calculate
expected voltages for failure mode and temperature reading purposes.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 183 170,keepaspectratio=true]{./CH5_Examples/voltage_divider.png}
% voltage_divider.png: 183x170 pixel, 72dpi, 6.46x6.00 cm, bb=0 0 183 170
\caption{Voltage Divider}
\label{fig:vd}
\end{figure}
%The looking at figure \ref{fig:vd} the standard voltage divider formula (equation \ref{eqn:vd}) is used.
\begin{equation}
\label{eqn:vd}
V_{out} = V_{in}.\frac{Z2}{Z2+Z1}
\end{equation}
\subsection{Safety case for 4 wire circuit}
This sub-section looks at the behaviour of the $Pt100$ four wire circuit
for the effects of component failures.
All components have a set of known `failure modes'.
In other words we know that a given component can fail in several distinct ways.
Studies have been published which list common component types
and their sets of failure modes~\cite{fmd91}, often with MTTF statistics~\cite{mil1991}.
Thus for each component, an analysis is made for each of its failure modes,
with respect to its effect on the
circuit. Each one of these scenarios is termed a `test case'.
The resultant circuit behaviour for each of these test cases is noted.
The worst case for this type of
analysis would be a fault that we cannot detect.
Where this occurs a circuit re-design is probably the only sensible course of action.
\fmodegloss
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit.}
\label{fmea}
The Pt100 circuit consists of three resistors, two `current~supply'
wires and two `sensor' wires.
Resistors, are considered to fail by either going OPEN or SHORT (see section~\ref{sec:res_fms}). %circuit\footnote{EN298:2003~\cite{en298} also requires that components are downrated,
%and so in the case of resistors the parameter change failure mode~\cite{fmd-91}[2-23] can be ommitted.}.
%Should wires become disconnected these will have the same effect as
%given resistors going open.
For the purpose of this analyis;
$R_{1}$ is the \ohms{2k2} from 5V to the thermistor,
$R_3$ is the Pt100 thermistor and $R_{2}$ connects the thermistor to ground.
We can define the terms `High Fault' and `Low Fault' here, with reference to figure
\ref{fig:Pt100vrange}. Should we get a reading outside the safe green zone
in the diagram, we consider this a fault.
Should the reading be above its expected range, this is a `High Fault'
and if below a `Low Fault'.
Table \ref{ptfmea} plays through the scenarios of each of the resistors failing
in both SHORT and OPEN failure modes, and hypothesises an error condition in the readings.
The range {0\oc} to {300\oc} will be analysed using potential divider equations to
determine out of range voltage limits in section~\ref{sec:ptbounds}.
\begin{table}[ht]
\caption{Pt100 FMEA Single Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|c|c|l|l||}
\hline \hline
\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
$R_1$ SHORT & High Fault & - & Value Out of Range Value \\ \hline
$R_1$ OPEN & Low Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_3$ SHORT & Low Fault & High Fault & Both values out of range \\ \hline
$R_3$ OPEN & High Fault & Low Fault & Both values out of range \\ \hline
\hline
$R_2$ SHORT & - & Low Fault & Value Out of Range Value \\
$R_2$ OPEN & High Fault & High Fault & Both values out of range \\ \hline
\hline
\end{tabular}
\label{ptfmea}
\end{table}
From table \ref{ptfmea} it can be seen that any component failure in the circuit
should cause a common symptom, that of one or more of the values being `out of range'.
Temperature range calculations and detailed calculations
on the effects of each test case are found in section \ref{Pt100range}
and \ref{Pt100temp}.
%\paragraph{Consideration of Resistor Tolerance}
%
%The separate sense lines ensure the voltage read over the Pt100 thermistor are not
%altered due to having to pass any significant current.
%The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
%One or other of the load resistors (the one we measure current over) should also
%be of this accuracy.
%
%The \ohms{2k2} loading resistors may be ordinary, in that they would have a good temperature co-effecient
%(typically $\leq \; 50(ppm)\Delta R \propto \Delta \oc $), and should be subjected to
%a narrow temperature range anyway, being mounted on a PCB.
%\glossary{{PCB}{Printed Circuit Board}}
%To calculate the resistance of the Pt100 element % (and thus derive its temperature),
%having the voltage over it, we now need the current.
%Lets use, for the sake of example $R_2$ to measure the current flowing in the temperature sensor loop.
%As the voltage over $R_3$ is relative (a design feature to eliminate resistance effects of the cables).
%We can calculate the current by reading
%the voltage over the known resistor $R2$.\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
%We can determine this via ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
%and then using $I$, we can calculate $R_{3} = \frac{V_{R3}}{I}$.}
%As these calculations are performed by ohms law, which is linear, the accuracy of the reading
%will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
%take the mean square error of these accuracy figures.
\paragraph{Range and $Pt100$ Calculations}
\label{Pt100temp}
$Pt100$ resistors are designed to
have a resistance of \ohms{100} at {0\oc} \cite{aoe},\cite{eurothermtables}.
A suitable `wider than to be expected range' was considered to be {0\oc} to {300\oc}
for a given application.
According to the Eurotherm Pt100
tables \cite{eurothermtables}, this corresponded to the resistances \ohms{100}
and \ohms{212.02} respectively. From this the potential divider circuit can be
analysed and the maximum and minimum acceptable voltages determined.
These can be used as bounds results to apply the findings from the
Pt100 FMEA analysis in section \ref{fmea}.
As the Pt100 forms a potential divider with the \ohms{2k2} load resistors,
the upper and lower readings can be calculated thus:
$$ highreading = 5V.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 5V.\frac{2k2}{2k2+2k2+Pt100} $$
So by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
To convert these to twelve bit ADC (\adctw) counts:
$$ highreading = 2^{12}.\frac{2k2+Pt100}{2k2+2k2+pt100} $$
$$ lowreading = 2^{12}.\frac{2k2}{2k2+2k2+Pt100} $$
\begin{table}[ht]
\caption{Pt100 Maximum and Minimum Values} % title of Table
\centering % used for centering table
\begin{tabular}{||c|c|c|l|l||}
\hline \hline
\textbf{Temperature} & \textbf{Pt100 resistance} &
\textbf{Lower} & \textbf{Higher} & \textbf{Description} \\
\hline
% {-100 \oc} & {\ohms{68.28}} & 2.46V & 2.53V & Boundary of \\
% & & 2017\adctw & 2079\adctw & out of range LOW \\ \hline
{0 \oc} & {\ohms{100}} & 2.44V & 2.56V & Boundary of \\
& & 2002\adctw & 2094\adctw & out of range LOW \\ \hline
{+300 \oc} & {\ohms{212.02}} & 2.38V & 2.62V & Boundary of \\
& & 1954\adctw & 2142\adctw & out of range HIGH \\ \hline
\hline
\end{tabular}
\label{ptbounds}
\end{table}
Table \ref{ptbounds} gives ranges that determine correct operation. In fact it can be shown that
for any single error (short or opening of any resistor) this bounds check
will detect it.
\paragraph{Consideration of Resistor Tolerance.}
%
\label{sec:ptbounds}
The separate sense lines ensure the voltage read over the $Pt100$ thermistor is not
altered by having to pass any significant current. The current is supplied
by separate wires and the resistance in those are effectively cancelled
out by considering the voltage reading over $R_3$ to be relative.
%
The Pt100 element is a precision part and will be chosen for a specified accuracy/tolerance range.
One or other of the load resistors (the one over which we measure current) should also
be of a specified accuracy\footnote{It is common for standard surface mount resistors to have an
accuracy of $\pm 1\%$. Higher accuracy parts may be specified.}.
%
The \ohms{2k2} loading resistors should have a good temperature co-effecient
(i.e. $\leq \; 50(ppm)\Delta R \propto \Delta \oc $).
%
To calculate the resistance of the Pt100 element % (and thus derive its temperature),
knowing $V_{R3}$ we now need the current flowing in the temperature sensor loop.
%
Lets use, for the sake of example, $R_2$ to measure the current.
%
We can calculate the current $I$, by reading
the voltage over the known resistor $R_2$ and using Ohms law\footnote{To calculate the resistance of the Pt100 we need the current flowing though it.
We can determine this via Ohms law applied to $R_2$, $V=IR$, $I=\frac{V}{R_2}$,
and then using $I$, we can calculate $R_{3} = \frac{V_{3}}{I}$.} and then use Ohms law again to calculate
the resistance of $R_3$.
%
As Ohms law is linear, the accuracy of the reading
will be determined by the accuracy of $R_2$ and $R_{3}$. It is reasonable to
take the mean square error of these accuracy figures~\cite{probstat}.
\paragraph{Single Fault FMEA Analysis of $Pt100$ Four wire circuit}
\ifthenelse{\boolean{pld}}
{
\paragraph{Single Fault Modes as PLD}
The component~failure~modes in table \ref{ptfmea} can be represented as contours
on a PLD diagram.
Each test case, is defined by the contours that enclose
it. The test cases here deal with single faults only
and are thus enclosed by one contour each.
\fmodegloss
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc}
\end{figure}
} % \ifthenelse {\boolean{pld}}
%ating input Fault
This circuit supplies two results, the {\em sense+} and {\em sense-} voltage readings.
To establish the valid voltage ranges for these, and knowing our
valid temperature range for this example ({0\oc} .. {300\oc}) we can calculate
valid voltage reading ranges by using the standard voltage divider equation \ref{eqn:vd}
for the circuit shown in figure \ref{fig:vd}.
\paragraph{Proof of Out of Range Values for Failures}
\label{pt110range}
Using the temperature ranges defined above we can compare the voltages
we would get from the resistor failures to prove that they are
`out of range'. There are six test cases and each will be examined in turn.
\subparagraph{ TC 1 : Voltages $R_1$ SHORT }
With Pt100 at 0\oc
$$ highreading = 5V $$
Since the highreading or sense+ is directly connected to the 5V rail,
both temperature readings will be 5V..
$$ lowreading = 5V.\frac{2k2}{2k2+100\Omega} = 4.78V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V $$
$$ lowreading = 5V.\frac{2k2}{2k2+212.02\Omega} = 4.56V$$
Thus with $R_1$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 2 : Voltages $R_1$ OPEN }
In this case the 5V rail is disconnected. All voltages read are 0V, and
therefore both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 3 : Voltages $R_2$ SHORT }
With Pt100 at 0\oc
$$ lowreading = 0V $$
Since the lowreading or sense- is directly connected to the 0V rail,
both temperature readings will be 0V.
$$ lowreading = 5V.\frac{100\Omega}{2k2+100\Omega} = 0.218V$$
With Pt100 at the high end of the temperature range 300\oc.
$$ highreading = 5V.\frac{212.02\Omega}{2k2+212.02\Omega} = 0.44V$$
%
Thus with $R_2$ shorted both readings are outside the
proscribed range in table \ref{ptbounds}.
\paragraph{ TC 4 : Voltages $R_2$ OPEN }
Here there is no potential divider operating and both sense lines
will read 5V, outside of the proscribed range.
\paragraph{ TC 5 : Voltages $R_3$ SHORT }
Here the potential divider is simply between
the two 2k2 load resistors. Thus it will read a nominal;
2.5V.
Assuming the load resistors are
precision components, and then taking an absolute worst case of 1\% either way.
$$ 5V.\frac{2k2*0.99}{2k2*1.01+2k2*0.99} = 2.475V $$
$$ 5V.\frac{2k2*1.01}{2k2*1.01+2k2*0.99} = 2.525V $$
These readings both lie outside the proscribed range.
Also the sense+ and sense- readings would have the same value.
\paragraph{ TC 6 : Voltages $R_3$ OPEN }
Here the potential divider is broken. The sense- will read 0V and the sense+ will
read 5V. Both readings are outside the proscribed range.
\subsection{Summary of Analysis}
All six test cases have been analysed and the results agree with the hypothesis
put in table~\ref{ptfmea}.
%The PLD diagram, can now be used to collect the symptoms.
In this case there is a common and easily detected symptom for all these single
resistor faults : Voltage out of range.
%
% A spider can be drawn on the PLD diagram to this effect.
%
In practical use, by defining an acceptable measurement/temperature range,
and ensuring the
values are always within these bounds, we can be confident that none of the
resistors in this circuit has failed.
\ifthenelse{\boolean{pld}}
{
\begin{figure}[h]
\centering
\includegraphics[width=400pt,bb=0 0 518 365,keepaspectratio=true]{./CH5_Examples/Pt100_tc_sp.png}
% Pt100_tc.jpg: 518x365 pixel, 72dpi, 18.27x12.88 cm, bb=0 0 518 365
\caption{Pt100 Component Failure Modes}
\label{fig:Pt100_tc_sp}
\end{figure}
}
\subsection{Derived Component with one failure mode.}
The Pt100 circuit can now be treated as a component in its own right, and has one failure mode,
{\textbf OUT\_OF\_RANGE}. This is a single, detectable failure mode. The observability of a
fault condition is very good with this circuit. This should not be a surprise, as the four wire $Pt100$
has been developed for safety critical temperature measurement.
%
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_singlef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_singlef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Single Faults Analysis}
\label{fig:Pt100_singlef}
\end{figure}
}
%From the single faults (cardinality constrained powerset of 1) analysis, we can now create
%a new derived component, the {\emPt100circuit}. This has only \{ OUT\_OF\_RANGE \}
%as its single failure mode.
%Interestingly we can calculate the failure statistics for this circuit now.
%Mill 1991 gives resistor stats of ${10}^{11}$ times 6 (can we get special stats for Pt100) ???
%\clearpage
%\section{Double failure analysis}
%CITE PRICE MULTIPLE FAILURE PAPER.
%\clearpage
\section{ Pt100 Double Simultaneous Fault Analysis}
\label{sec:Pt100d}
In this section we examine the failure mode behaviour % for all single
%faults and
double simultaneous faults.
Traditional FMEA methodologies do not provide double failure analysis~\cite{safeware}[p.342]
and double failure analysis for FMEA is a subject of current research~\cite{FMEAmultiple653556,AutoFMEAfaultTree1281774}.
%Well,
%This corresponds to the cardinality constrained powerset of one (see section~\ref{ccp}), of
%the failure modes in the functional group.
All the single faults have been analysed in the last section.
%For the next set of test cases, let us again hypothesise
%the failure modes, and then examine each one in detail with
%potential divider equation proofs.
%
Table \ref{tab:ptfmea2} lists all the combinations of double
faults as FMMD test cases.
%and then hypothesises how the functional~group will react
%under those conditions.
\begin{table}[ht]
\caption{Pt100 FMEA Double Faults} % title of Table
\centering % used for centering table
\begin{tabular}{||l|l|c|c|l|l||}
\hline \hline
\textbf{TC} &\textbf{Test} & \textbf{Result} & \textbf{Result } & \textbf{General} \\
\textbf{number} &\textbf{Case} & \textbf{sense +} & \textbf{sense -} & \textbf{Symtom Description} \\
% R & wire & res + & res - & description
\hline
\hline
TC 7: & $R_1$ OPEN $R_2$ OPEN & Floating input Fault & Floating input Fault & Unknown value readings \\ \hline
TC 8: & $R_1$ OPEN $R_2$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 9: & $R_1$ OPEN $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 10: & $R_1$ OPEN $R_3$ SHORT & low & low & Both out of range \\ \hline
\hline
TC 11: & $R_1$ SHORT $R_2$ OPEN & high & high & Both out of range \\ \hline
TC 12: & $R_1$ SHORT $R_2$ SHORT & high & low & Both out of range \\ \hline
\hline
TC 13: & $R_1$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 14: & $R_1$ SHORT $R_3$ SHORT & high & high & Both out of range \\ \hline
\hline
TC 15: & $R_2$ OPEN $R_3$ OPEN & high & Floating input Fault & sense+ out of range \\ \hline
TC 16: & $R_2$ OPEN $R_3$ SHORT & high & high & Both out of Range \\ \hline
TC 17: & $R_2$ SHORT $R_3$ OPEN & high & low & Both out of Range \\ \hline
TC 18: & $R_2$ SHORT $R_3$ SHORT & low & low & Both out of Range \\ \hline
\hline
\end{tabular}
\label{tab:ptfmea2}
\end{table}
%\paragraph{Proof of Double Faults Hypothesis}
\paragraph{ TC 7 : Voltages $R_1$ OPEN $R_2$ OPEN }
\label{Pt100:bothfloating}
This double fault mode produces an interesting symptom.
Both sense lines are floating.
We cannot know what the {\adctw} readings on them will be.
%
In practise these would probably float to low values
but for the purpose of a safety critical analysis,
all we can say is that the values are `floating' and `unknown'.
This is an interesting case, because it is, at this stage an undetectable---or unobservable---
fault. Unobservable faults are generally unacceptable in a safety critical environment~\cite{ACS:ACS1297,721666}.
%that must be handled.
\paragraph{ TC 8 : Voltages $R_1$ OPEN $R_2$ SHORT }
This cuts the supply from Vcc. Both sense lines will be at zero.
Thus both values will be out of range.
\paragraph{ TC 9 : Voltages $R_1$ OPEN $R_3$ OPEN }
Sense- will be floating.
Sense+ will be tied to Vcc and will thus be out of range.
\paragraph{ TC 10 : Voltages $R_1$ OPEN $R_3$ SHORT }
This shorts ground to
both of the sense lines.
Both values will be out of range.
\paragraph{ TC 11 : Voltages $R_1$ SHORT $R_2$ OPEN }
This shorts both sense lines to Vcc.
Both values will be out of range.
\paragraph{ TC 12 : Voltages $R_1$ SHORT $R_2$ SHORT }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 13 : Voltages $R_1$ SHORT $R_3$ OPEN }
This shorts the sense+ to Vcc and the sense- to ground.
Both values will be out of range.
\paragraph{ TC 14 : Voltages $R_1$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 15 : Voltages $R_2$ OPEN $R_3$ OPEN }
This shorts the sense+ to Vcc and causes sense- to float.
The sense+ value will be out of range.
\paragraph{ TC 16 : Voltages $R_2$ OPEN $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
\paragraph{ TC 17 : Voltages $R_2$ SHORT $R_3$ OPEN }
This shorts the sense- to Ground.
The sense- value will be out of range.
\paragraph{ TC 18 : Voltages $R_2$ SHORT $R_3$ SHORT }
This shorts the sense+ and sense- to Vcc.
Both values will be out of range.
%\clearpage
\ifthenelse{\boolean{pld}}
{
\subsection{Double Faults Represented on a PLD Diagram}
We can show the test cases on a diagram with the double faults residing on regions
corresponding to overlapping contours see figure \ref{fig:plddouble}.
Thus $TC\_18$ will be enclosed by the $R2\_SHORT$ contour and the $R3\_SHORT$ contour.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddouble.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddouble}
\end{figure}
We use equation \ref{eqn:correctedccps2} to verify complete coverage for
a given cardinality constraint is not visually obvious.
%
From the diagram it is easy to verify
the number of failure modes considered for each test case, but
not that all for a given cardinality constraint have been included.
}
{
}
\paragraph{Symptom Extraction}
We can now examine the results of the test case analysis and apply symptom abstraction.
In all the test case results we have at least one out of range value, except for
$TC\_7$
which has two unknown values/floating readings. We can collect all the faults, except $TC\_7$,
into the symptom $OUT\_OF\_RANGE$.
As a symptom $TC\_7$ could be described as $FLOATING$.
\ifthenelse{\boolean{pld}}
{
We can thus draw a PLD diagram representing the
failure modes of this functional~group, the Pt100 circuit from the perspective of double simultaneous failures,
in figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=450pt,bb=0 0 730 641,keepaspectratio=true]{./CH5_Examples/plddoublesymptom.png}
% plddouble.jpg: 730x641 pixel, 72dpi, 25.75x22.61 cm, bb=0 0 730 641
\caption{Pt100 Double Simultaneous Faults}
\label{fig:plddoublesymptom}
\end{figure}
} %% \ifthenelse {\boolean{pld}}
{
}
%\clearpage
\subsection{Derived Component : The Pt100 Circuit}
The Pt100 circuit again, can now be treated as a component in its own right, and has two failure modes,
{\textbf{OUT\_OF\_RANGE}} and {\textbf{FLOATING}}.
\ifthenelse{\boolean{pld}}
{
It can now be represented as a PLD see figure \ref{fig:Pt100_doublef}.
\begin{figure}[h]
\centering
\includegraphics[width=100pt,bb=0 0 167 194,keepaspectratio=true]{./CH5_Examples/Pt100_doublef.png}
% Pt100_singlef.jpg: 167x194 pixel, 72dpi, 5.89x6.84 cm, bb=0 0 167 194
\caption{Pt100 Circuit Failure Modes : From Double Faults Analysis}
\label{fig:Pt100_doublef}
\end{figure}
} % \ifthenelse {\boolean{pld}}
{
}
% The resistors R1, R2 form a summing junction
% to the negative input of IC1.
% Using the earlier definition for resistor failure modes,
% $fm(R)= \{OPEN, SHORT\}$, we analyse the summing junction
% in table~\ref{tbl:sumjunct} below.
%
% \begin{table}[h+]
% \caption{Summing Junction: Failure Mode Effects Analysis: Single Faults} % title of Table
% \label{tbl:sumjunct}
%
% \begin{tabular}{|| l | l | c | c | l ||} \hline
% \textbf{Failure Scenario} & & \textbf{Summing} & & \textbf{Symptom} \\
% & & \textbf{Junction} & & \\
% \hline
% FS1: R1 SHORT & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
% FS2: R1 OPEN & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS3: R2 SHORT & & R2 input dominates & & $R2\_IN\_DOM$ \\ \hline
% FS4: R2 OPEN & & R1 input dominates & & $R1\_IN\_DOM$ \\ \hline
%
% \hline
%
% \end{tabular}
% \end{table}
% % PHS45
%
% This summing junction fails with two symptoms. We create a {\dc} called $SUMJUNCT$ and we can state,
% $$fm(SUMJUNCT) = \{ R1\_IN\_DOM, R2\_IN\_DOM \} $$.
%The D type flip flop
%\subsection{FMMD Process applied to $\Sigma \Delta $ADC}.
%T%he block diagram in figure~\ref{fig
Reference in New Issue View Git Blame Copy Permalink