diff --git a/fmmd_concept/System_safety_2011/submission.tex b/fmmd_concept/System_safety_2011/submission.tex index 9fa595e..b3026f9 100644 --- a/fmmd_concept/System_safety_2011/submission.tex +++ b/fmmd_concept/System_safety_2011/submission.tex @@ -91,10 +91,12 @@ behaviour of a non inverting op-amp. \paragraph{Current methodologies} We briefly analyse the four current methodologies. +Comprehensive overviews of these methodologies maybe found +in ~\cite{safeware,sccs}. \paragraph{Fault Tree Analysis (FTA)} -FTA is a top down methodology in which a hierarchical diagram is drawn for +FTA~\cite{nucfta,nasafta} is a top down methodology in which a hierarchical diagram is drawn for each undesirable top level failure, presenting the conditions that must arise to cause the event. % @@ -113,9 +115,11 @@ support for environmental and operational states. \paragraph{Fault Mode Effects Analysis FMEA)} is used principally in manufacturing. -Each top level failure is assessed by its cost to repair and its frequency,%, using a +It is bottom up and starts with component failure modes, which +lead to top level failure/events. +Each top level failure is assessed by its cost to repair and its estimated frequency.%, using a %failure mode ratio. -A list of failures and their cost is then calculated. +A list of failures according to their cost to repair~\cite{bfmea}, or effect on system reliability is then calculated. It is easy to identify single component failure to system failure scenarios and an estimate of product reliability can be calculated. % @@ -126,24 +130,11 @@ or operational states in sub-systems or components. It cannot model self-checking safety elements or other in-built safety features or analyse how particular components may fail. -\subsection{Fault Mode Effects Analysis FMEA)} -FMEA is used principally in manufacturing. -Each defect is assessed by its cost to repair and its frequency. %, using a -%failure mode ratio. -A list of failures and their cost is generated. -It is easy to identify single component failure to system failure scenarios, -and an estimate of product reliability can be calculated. It cannot focus on -component interactions that cause system failure modes or determine potential -problems from simultaneous failure modes. It does not consider environmental -or operational states in sub-systems or components. It cannot model -self-checking safety elements or other in-built safety features or -analyse how particular components may fail. - \paragraph{Failure Mode Criticality Analysis (FMECA)} is a refinement of FMEA, using -two extra variables: the probability of a component failure mode occurring -and the probability that this will cause a top level failure, and the perceived -criticallity. It gives better estimations of product reliability/safety and the +three extra variables: the probability of a component failure mode occurring, +the probability that this will cause a given top level failure, and the perceived +critically. It gives better estimations of product reliability/safety and the occurrence of particular system failure modes than FMEA but has similar deficiencies. @@ -157,7 +148,7 @@ for environmental and operational states in sub-systems or components, via self checking statistical mitigation. FMEDA is the methodology associated with the safety integrity standards IOC5108 and EN61508~\cite{en61508}. -\subsection{Summary of Defeciencies in Current Methods} +\subsection{Summary of Deficiencies in Current Methods} \paragraph{Top Down approach: FTA} The top down technique FTA, introduces the possibility of missing base component level failure modes~\cite{faa}[Ch.9]. Since one FTA tree is drawn for each top level @@ -226,7 +217,7 @@ a {\bcfm} and not investigate other possibilities. %\section{Requirements for a new static failure mode Analysis methodology} -\section{Desireable Criteria for a failure mode methodology}. +\section{Desireable Criteria for a failure mode methodology.} From the deficiencies outlined above, ideally we can form a set of desirable criteria for a better methodology. { \small \begin{enumerate} @@ -397,6 +388,8 @@ Alternatively they could be self~checking sub-systems that are either in a norma Operational states are conditions that apply to some functional groups, not individual components. +\section{Worked Example: Non-Inverting Operational Amplifier} + A standard non inverting op amp (from ``The Art of Electronics'' ~\cite{aoe}[pp.234]) is shown in figure \ref{fig:noninvamp}. @@ -454,7 +447,7 @@ Thus $R1$ has failure modes $\{R1\_OPEN, R1\_SHORT\}$ and $R2$ has failure modes %\clearpage -\section{Failure Mode Analysis of the Potential Divider} +\paragraph{Failure Mode Analysis of the Potential Divider} \ifthenelse {\boolean{pld}} { @@ -703,13 +696,12 @@ as a building block for other {\fgs} in the same way as we used the resistors $R %\clearpage -\section{Failure Mode Analysis of the OP-AMP} +\paragraph{Failure Mode Analysis of the OP-AMP} Let use now consider the op-amp. According to FMD-91~\cite{fmd91}[3-116] an op amp may have the following failure modes: latchup(12.5\%), latchdown(6\%), nooperation(31.3\%), lowslewrate(50\%). - - +\nocite{mil1991} \ifthenelse {\boolean{pld}} { @@ -762,11 +754,10 @@ We can represent these failure modes on a DAG (see figure~\ref{fig:op1dag}). %\clearpage -\section{Bringing the OP amp and the potential divider together} - -We can now consider bringing the OP amp and the potential divider together to -model the non inverting amplifier. We have the failure modes of the functional group for the potential divider, -so we do not need to consider the individual resistor failure modes that define its behaviour. +\paragraph{Modelling the OP amp with the potential divider.} +We can now consider bringing the OP amp and the potential divider components to +form a {\fg} to represent the non inverting amplifier. We have the failure modes of the {\fg} for the potential divider, +so we do not need to go back and consider the individual resistor failure modes that define its behaviour. \ifthenelse {\boolean{pld}} { We can make a new functional group to represent the amplifier, by bringing the component \textbf{opamp} @@ -799,7 +790,7 @@ regions) see figure~\ref{fig:fgampa}. \ifthenelse {\boolean{dag}} { -We can now crate a {\fg} for the non-inverting amplifier +We can now create a {\fg} for the non-inverting amplifier by bringing together the failure modes from \textbf{opamp} and \textbf{PD}. Each of these failure modes will be given a test case for analysis, and this is represented in table \ref{ampfmea}. @@ -927,7 +918,7 @@ We can now derive a `component' to represent this amplifier configuration (see f %failure mode contours). %\clearpage %\clearpage -\section{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)} +\paragraph{Failure Modes from non inverting amplifier as a Directed Acyclic Graph (DAG)} \ifthenelse {\boolean{pld}} { We can now represent the FMMD analysis as a directed graph, see figure \ref{fig:noninvdag1}. @@ -1070,6 +1061,13 @@ to assist in building models for FTA, FMEA, FMECA and FMEDA failure mode analysi \label{fig:noninvdag1} \end{figure} +\paragraph{Worked example. Effect on State explosion.} +The potential divider {\dc} reduced the number of failures to consider from four to two. +The op-amp and potential divider modelled together, reduced the number of +failure symptoms from eight to three. Because symptoms are collected, we can state +the the number of failure symptoms for a {\fg} will be less then or equal to the number +of component failues. In practise the number of symptoms is usually around half the +number of component failure modes. @@ -1162,23 +1160,30 @@ It can therefore be used to analyse systems comprised of electrical, mechanical and software elements in one integrated model. -{ \small +{ %\tiny \begin{table}[ht] \caption{Features of static Failure Mode analysis methodologies} % title of Table -\centering % used for centering table +%\centering % used for centering table \begin{tabular}{||l|c|c|c|c|c||} \hline \hline - \textbf{Desirable} & \textbf{FTA} & \textbf{FMEA} & \textbf{FMECA} & \textbf{FDEMA} & \textbf{FMMD} \\ - \textbf{Criteria} & \textbf{} & \textbf{} & \textbf{} & \textbf{} & \textbf{} \\ +% \textbf{Des.} & \textbf{FTA} & \textbf{FMEA} & \textbf{FMECA} & \textbf{FDEMA} & \textbf{FMMD} \\ +\textbf{\tiny Des.} & \textbf{\tiny FTA} & \textbf{\tiny FMEA} & \textbf{\tiny FMECA} & \textbf{\tiny FDEMA} & \textbf{\tiny FMMD} \\ + \textbf{\tiny Crit.} & \textbf{} & \textbf{} & \textbf{} & \textbf{} & \textbf{} \\ % R & wire & res + & res - & description \hline \hline - C1: state exp & partial & & & & $\tickYES$ \\ \hline - C2: $\forall$ failures & &$\tickYES$ & $\tickYES$ & $\tickYES$ & $\tickYES$ \\ \hline - C3: mech,elec,s/w & $\tickYES$ & & & & $\tickYES$ \\ \hline - C4: modular & & & & partial & $\tickYES$ \\ \hline - C5: formal & partial & partial & partial & partial & $\tickYES$ \\ \hline - C6: multiple fm & $\tickYES$ & & & partial & $\tickYES$ \\ \hline + C1: % state exp + & partial & & & & $\tickYES$ \\ \hline + C2: % $\forall$ failures + & &$\tickYES$ & $\tickYES$ & $\tickYES$ & $\tickYES$ \\ \hline + C3: %mech,elec,s/w & $\tickYES$ + & & & & & $\tickYES$ \\ \hline + C4: %modular + & & & & partial & $\tickYES$ \\ \hline + C5: %formal + & partial & partial & partial & partial & $\tickYES$ \\ \hline + C6: %multiple fm + & $\tickYES$ & & & partial & $\tickYES$ \\ \hline \hline \hline \end{tabular}