Introduction
SWEN90010: HIGH INTEGRITY SYSTEMS ENGINEERING DEPARTMENT OF COMPUTING AND INFORMATION SYSTEMS THE UNIVERSITY OF MELBOURNE
Workshop 1
This workshop is about safety analysis. In particular we’ll be using HAZOPS (exploratory) to explore the design of a Brake-by-Wire braking system. There are two main brakes on a road vehicle:
Copyright By PowCoder代写 加微信 powcoder
The main service brake — This is the braking system that is typically operated by the foot pedal inside a car. It consists of the four rotors — or discs — in the wheels, calipers to slow or stop vehicle by slowing or stopping the rotors a foot hydraulic or electronic assisted actuation system for transferring the actions of the driver to the calipers.
The major function of the service brake is to control the speed of the vehicle and to bring it to a complete stop when necessary.
In emergencies the service brake must stop the vehicle in the shortest possible distance.
The park brake — This is the brake used for holding the car in position while parked or while momentarily stopped. In current vehicles the park brake is operated by a lever in the middle of the vehicle next to the driver’s position.
The park brake has a number of functions:
• to hold the vehicle in place when parked and this includes parking on slopes and inclines and all types of surfaces, for example, road surfaces, wet road surfaces, slippery road surfaces, rocky surfaces or sand;
• to act as an emergency service brake; and
• and for emergency turns.
Consider the design of a by-wire park brake in which the lever is replaced by a button on the steering wheel, a computer controlled system that detects wheel slip and locks the wheels in places, or if the vehicle is rolling, engages the engine to hold the vehicle in place.
The park brake works via a special motor that employs the rear calipers to clamp the rear wheels and so stop the vehicle from rolling. If the car is rolling the park brake ECU interacts with the motor — if the motor is switched on — and uses the motor to stop the roll and keep the car in position. When the car is switched off a rod is inserted via a small rear motor into the rear wheel rotors to stop them from moving. For a schematic see Figure 1.
The park brake ECU must therefore perform the following functions:
1. Detect if the car’s engine is switched on or not.
2. Engage the park brake when the button is pressed.
3. Detect if the car is rolling when the park brake is on and employ the engine to compensate if the engine is switched on.
Your tasks
1. Perform a hazard and operability study on the communications channels in the design. The HAZOP guide- words are shown in Table 1.
Guide Word
NO or NONE
AS WELL AS PART OF REVERSE OTHER THAN
EARLY LATE BEFORE AFTER
Figure 1: The design of the park brake system.
This is the complete negation of the design intention. No part of the intention is achieved and nothing else happens.
This is a quantitative increase.
This is a quantitative decrease.
All the design intention is achieved together with additions.
Only some of the design intention is achieved.
The logical opposite of the intention is achieved.
Complete substitution, where no part of the original intention is achieved but something quite different happens.
Something happens earlier than expected relative to clock time. Something happens later than expected relative to clock time. Something happens before it is expected, relating to order or sequence. Something happens after it is expected, relating to order or sequence.
Table 1: HAZOP guidewords
2. Perform a fault-tree analysis for the following hazard that can occur in a system for automatically admin- istering insulin to a patient. The hazard to analyse is the case in which an incorrect dosage of insulin is delivered:
Incorrect insulin dosage can be caused in three broad ways: an incorrect measure of the sugar level, incorrect delivery of dosage, or the dosage is delivered at the wrong time due to a timer failure. The sugar level is measured by a pair of sensors, and the resulting dosage is computed. The value from the first sensor is always used, unless no value is received from it (assumed to have failed), in which case the second sensor value is used. The system must compute the insulin dosage and send the correct computation to the pump, which delivers the dosage. Computation of sugar and insulin dosage can fail due to an incorrect algorithm or from arithmetic computations in the hardwarde.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com