From 0167f23b0144d33a183d2d953c4fa9efd74f5c44 Mon Sep 17 00:00:00 2001 From: Robin Clark Date: Mon, 4 Oct 2010 19:01:04 +0100 Subject: [PATCH] . --- fmmd_concept/fmmd_concept.tex | 60 +++++++++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/fmmd_concept/fmmd_concept.tex b/fmmd_concept/fmmd_concept.tex index 22197de..0f11f9e 100644 --- a/fmmd_concept/fmmd_concept.tex +++ b/fmmd_concept/fmmd_concept.tex @@ -6,8 +6,11 @@ { \abstract{ This paper proposes a methodology for creating failure mode models of safety critical systems, which -have a common and integrateable notation +has a common and integrateable notation for mechanical, electronic and software domains. +In addition, the methodology address the traditional weaknesses of +Fault Tree Analysis (FTA), Fault Mode Effects Analysis (FMEA) +and Failure Mode Effects and Diagnostic Analysis (FMEDA). The proposed methodology is bottom-up and modular.} } @@ -17,19 +20,21 @@ modular.} \section{Introduction} There are three methodologies in common use for failure mode modelling. -These are Fault Tree Analysis (FTA), various forms of Fault Mode Effects Analysis (FMEA) -and statistical analysis. +These are FTA, FMEA +and FMEDA (a form of statistical analysis). These methodologies have several draw backs. -FTA can overlook error conditions, and FMEA and the Statistical Methods +In short +FTA, due to its top down nature, can overlook error conditions. FMEA and the Statistical Methods lack precision in predicting failure modes at the SYSTEM level. + The Failure Mode Modular De-composition (FMMD) methodology presented here provides a more detailed and analytical modelling system from which the data models from FTA, FMEA and the statistical approach can be -derived. -It also applies analysis stages to the failure mode analysis process +derived if required. +It also applies rigorous checking in the analysis stages ensuring that all component failure modes must be considered in the model. FMMD @@ -70,6 +75,18 @@ In summary. This, like all top~down methodologies introduces the very serious problem of missing component failure modes, or modelling at a too high level of failure mode abstraction. +FTA was invented for use on the minuteman nuclear defence missile +systems in the early 1960's and was not designed as a rigorous +fault/failure mode methodology. It is more like a structure to +be applied when discussing the safety of a system, with a top down hierarchical +notation, that guides the analysis. This methodology was designed for +experienced engineers sitting around a large diagram and discussing the safety aspects. +Also the nature of a large rocket with red wire, and remote detonation +failsafes meant that the objective was to iron out common failures +not to rigorously detect all possible failures. +Consequently it was not designed to guarantee to cover all component failure modes, +and has no rigorous in-built safeguards to ensure coverage of all possible +system level outcomes. \subsection { FMEA } @@ -81,28 +98,53 @@ This lacks precision, or in other words, determinability prediction accuracy, as often the component failure mode cannt be proven to cause a SYSTEM level failure, only to make it more likely. Also, it can miss combinations of failure modes that will cause SYSTEM level errors. -\subsection { Statistical Analyis } +\subsection { FMEDA or Statistical Analyis } +This is a process that takes all the components in a system, +and from the failure modes of those components +calculates a risk factor for each. +The risk factors of all the component failure modes are summed and +give a value for the `safety level' for the equipment in a given environment. + +%%-he FMEDA technique considers +%%-• All components of a design, +%%-• The functionality of each component, +%%-• The failure modes of each component, +%%-• The impact of each component failure mode on the product functionality, +%%-• The ability of any automatic diagnostics to detect the failure, +%%-• The design strength (de-rating, safety factors) and +%%-• The operational profile (environmental stress factors). + This uses MTFF and other statisical models to determine the probability of failures occurring. A component failure mode, given its MTTF the probability of detecting the fault and its safety relevant validation time $\tau$, contributes a simple risk factor that is summed in to give a final risk result. Thus a statistical model can be implemented on a spreadsheet, where each component -has a calculated risk, and estimated risk importance +has a calculated risk, a fault detection time (if any), an estimated risk importance +and other factors such as de-rating and environmental stress. +This can be calculated, with one component failure mode per row, on a spreadsheet and these are all summed to give the final assement figure. +\paragraph{Two statistical perspectives} The Statistical Analysis method is used from two perspectives, Probability of Failure on Demand (PFD), and Probability of Failure in continuous Operation, Failure in Time (FIT) and measured in failures per billion ($10^9$) hours of operation. For instance with the anti-lock system on a automobile braking system, we would be interested in PFD. For a continuously running nuclear powerstation -we would be interested in its FIT values. +we would be interested in its 24/7 operation FIT values. This suffers from the same problems of lack of determinability prediction accuracy, as FMEA above. +We have to decide how particular components failing will impact ot the SYSTEM or top level. +This involves a `leap of faith'. For instance a resistor failing in a sensor cirrcuit +may be part of a critical montioring function. But the analyst is put in a position +where he must assign a critical failure possibility to it. There is no analysis +of how that resistor would/could affect that circuit, but because of the circuitry +it is part of critical section it is linked to a critical system level fault. + By this we may have the MTTF of some critical component failure modes, but we can only guess, in most cases what the safety case outcome