robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finished implementing Andrews comments.

Browse Source
This commit is contained in:
Robin Clark 2010-12-06 18:38:59 +00:00
parent 14a3dc4c34
commit 2dba32c6df
1 changed files with 119 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

177
fmmd_concept/fmmd_concept.tex
View File

@ -480,12 +480,12 @@ $\Sigma\lambda_D$ the total number of dangerous base component failure modes.
$$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$ $$ DiagnosticCoverage = \Sigma\lambda_{DD} / \Sigma\lambda_D $$
The diagnostic coverage for safe failures, where $\Sigma\lambda_SD$ represents the percentage of The diagnostic coverage for safe failures, where $\Sigma\lambda_{SD}$ represents the percentage of
safe detected base component failure modes, safe detected base component failure modes,
and $\Sigma\lambda_S$ the total number of safe base component failure modes, and $\Sigma\lambda_S$ the total number of safe base component failure modes,
is given as is given as
$$ SF = \frac{\Sigma\lambda_SD}{\Sigma\lambda_S} $$ $$ SF = \frac{\Sigma\lambda_{SD}}{\Sigma\lambda_S} $$
\paragraph{Safe Failure Fraction.} \paragraph{Safe Failure Fraction.}
@ -700,11 +700,15 @@ at the much higher SYSTEM level' criticism of the FTA, FMEDA and FMECA methodolo
%%% %%%
%%% OK Got up to here Lunchtime edit 06DEC2010............. %%% OK Got up to here Lunchtime edit 06DEC2010.............
\paragraph{Design Decision: Methodology must reduce and collate errors at each functional group stage.} \paragraph{Design Decision: Methodology must collate errors at each functional group stage.}
SYSTEMS typically have far fewer failure modes than the sum of their component failure modes. SYSTEMS typically have far fewer failure modes than the sum of their base component failure modes.
SYSTEM level failures may be caused by a variety of component failure modes. SYSTEM level failures may be caused by a variety of component failure modes.
A SYSTEM level failure mode is an abstracted failure mode, in that A SYSTEM level failure mode is an abstracted failure mode, in that
it is a symptom of some lower level failure or failures. it is a symptom of some lower level failure or failures.
Tracing the SYSTEM level failure or symptom, down through
a decomposed system, will give a fault tree. This will typically
trace the SYSTEM level failure mode to some individual base compoenent failures
or combinations thereof.
% ABSTRACTION % ABSTRACTION
For instance a failed resistor in a sensor at a base component level is a specific For instance a failed resistor in a sensor at a base component level is a specific
failure mode. failure mode.
@ -712,12 +716,12 @@ failure mode.
For example it could be called `RESISTOR 1 OPEN'. For example it could be called `RESISTOR 1 OPEN'.
% %
Now consider the symptom in a functional group comprising the sensor channel that Now consider the symptom in a functional group comprising the sensor channel that
RESISTOR 1 is part of of `RESISTOR 1 OPEN'. RESISTOR 1 is part of `RESISTOR 1 OPEN'.
% %
We might call it `READING~HIGH' failure perhaps. We might call it `READING~HIGH' failure perhaps.
The Fault has become less detailed and more general. There may be other The Fault has become less detailed and more general. There may be other
causes for a `READING~HIGH'. We can say that the failure causes for a `READING~HIGH'. We can say that the failure
mode `READING~HIGH' is more abstract in terms of the STSEM, than `RESISTOR 1 OPEN'. mode `READING~HIGH' is more abstract in terms of the SYSTEM, than `RESISTOR 1 OPEN'.
% %
At a higher level still At a higher level still
this may be called `SENSOR CHANNEL 1' fault. this may be called `SENSOR CHANNEL 1' fault.
@ -731,8 +735,9 @@ This must be a process that incrementally reduces the number
of failure modes as the abstraction level reaches the SYSTEM level. of failure modes as the abstraction level reaches the SYSTEM level.
\paragraph{How to build a meaningful SYSTEM failure behaviour model.} \paragraph{How to build a meaningful SYSTEM failure behaviour model.}
The next problem is how to we build a failure mode model The next problem is how we build a failure mode model
that converges to a finite set of SYSTEM level failure modes. that converges from a multitude of base
component failures to a finite set of SYSTEM level failure modes.
% %
It would be better to analyse the failure mode behaviour of each It would be better to analyse the failure mode behaviour of each
functional group, and determine the ways in which it, rather than its functional group, and determine the ways in which it, rather than its
@ -745,7 +750,7 @@ are extracted.
The number of symptoms will be less than or equal to the number The number of symptoms will be less than or equal to the number
component failure modes, and in practise will be much less. component failure modes, and in practise will be much less.
% %
The symptoms thus become the objects used to reduce the number Thus stage by stage symptom collection becomes the key to reducing the number
of failure modes to handle as we traverse up the hierarchy. of failure modes to handle as we traverse up the hierarchy.
@ -777,7 +782,15 @@ We can take small {\fg}s of components, where the {\fg}
is a small set of components that perform a simple is a small set of components that perform a simple
task. task.
% %
This should be small enough to be able to consider all the failure %The functional group should perform a clearly defined task.
The design engineer must chose the components that for a {\fg}.
It should be possible to consider the {\fg} as a a component or
black box, performing a given function.
The {\fg} should be chosen as to be as small
(in terms of the number of components) as possible.
%
This should be small enough to be able %Another advantage of the functional group being small
to comfortably analyse all the failure
modes of its components. modes of its components.
% %
We can consider these failure modes from the perspective We can consider these failure modes from the perspective
@ -799,46 +812,70 @@ as its failure modes.
This {\dc} can be used to build higher level This {\dc} can be used to build higher level
{\fg}s, and this will naturally form a hierarchy. {\fg}s, and this will naturally form a hierarchy.
This hierarchy can be extended until it encompasses This hierarchy can be extended until it encompasses
an entire system. It can be considered complete when an entire system.
all failure modes from all components are handled %
and connectable to a SYSTEM level failure mode. It can be considered complete when
all failure modes from all components are included in the model
and all base component failure modes can be traced
through the fault tree to SYSTEM level failure modes.
\paragraph{Directed Acyclic Graph (DAG).} \paragraph{Directed Acyclic Graph (DAG).}
The data structure produced from collecting functional groups If we ensure that
and deriving components will naturally form a DAG.
To ensure this we will have to ensure that
derived components cannot be included in {\fg}s derived components cannot be included in {\fg}s
of a lower abstraction level. of a lower abstraction level
the data structure produced from collecting functional groups
and deriving components will naturally form a DAG.
In other words we can say that we cannot allow a {\fg}
to include any component created from it.
% %
% %
By representing the failure mode model as a DAG, we By representing the failure mode model as a DAG, we
now have the capability to take SYSTEM level failure modes now have the capability to take SYSTEM level failure modes
and determine the possible combinations of component failure modes that and determine the possible combinations of component failure modes that
could have caused it. could have caused it.
In FTA terminology, a list of possible This will allow us to define fault trees for each SYSTEM level failure.
causes for a SYSTEM level failure is known as a minimal cut set \cite{nasafta}. This will mean that we be able to determine which
% combinations of base component failures could cause the SYSTEM
% failure.
%In FTA terminology, a list of possible
%causes for a SYSTEM level failure is known as a `cut set' \cite{nasafta}\cite{nucfta}.
If statistical models exist for the component failure modes If statistical models exist for the component failure modes
these failure causation trees (or minimal cut sets \cite{nucfta}) these failure causation trees (or minimal cut sets
can be used to calculate Mean Time to Failure (MTTF) or Probability of Failure on demand (PFD) figures. \footnote{In FTA terminology a minimal cut set is the branch of a
fault tree, from the top SYSTEM level to the bottom, with the least number
of base component failure modes. If a single base component failure mode can cause
a SYSTEM level error this is usually considered a liability.})
can be used to calculate Mean Time to Failure (MTTF) or
Probability of Failure on demand (PFD) figures.
Contrast the analytical capability of FMMD with the Contrast the analytical capability of FMMD with the
methodologies where the component failure modes are linked methodologies where the component failure modes are linked
directly to SYSTEM failure modes with no analysis stages in between. directly to SYSTEM failure modes with no analysis stages in between.
\paragraph{Design Decision: A functional group cannot contain {\dc}s at a higher abstraction level than its self} \paragraph{Design Decision: A functional group cannot
contain {\dc}s at a higher abstraction level than itself}
We can say that no component may be derived from itself directly
or indirectly.
We can track the `abstraction level' by increasing it each time
there is a phase of symptom collection.
We can use the symbol $alpha$ to represent the abstraction level
and make it an attribute of a component.
Base components will have an $\alpha$ level of zero.
A derived component when created must always be greater than any
of the components included in the {\fg} it was derived from.
We can implement this rule in two ways, firstly, by saying that any functional group
will take the `abstraction level + 1' of all components it includes.
Secondly we can say that no component may be derived from itself.
\paragraph{Natural Reduction in number of failure modes with abstraction level} \paragraph{Natural Reduction in number of failure modes with abstraction level}
% %
Because common symptoms are being collected, as we build the tree up-ward Because common symptoms are being collected, as we build the tree upward
the number of failure modes decreases (or exceptionally stays the same) at each level. the number of failure modes decreases (or exceptionally stays the same)
% at each level.\footnote{In very unusual cases where the none
failure modes of a {\fg} can be collected into symptoms,
the number of failure modes from its components would be the
same as the number of failure modes in the component derived from it.}
This decreasing of the number of failure modes is borne out {\irl}. This decreasing of the number of failure modes is borne out {\irl}.
Of the thousands of component failure modes in a typical product Of the thousands of component failure modes in a typical product
there are generally only a handful of SYSTEM level failure modes there are generally only a handful of SYSTEM level failure modes
@ -858,14 +895,15 @@ Functional groups are collections of components
that work together to perform a simple function. that work together to perform a simple function.
% %
We can perform a failure mode effects analysis on each of the component failure We can perform a failure mode effects analysis on each of the component failure
modes within a {\fg}. Because we can implemnent the process in software we can thus ensure that all component failure modes modes within a {\fg}. Because we can implemnent the process in software we can
are covered. thus ensure that all component failure modes
are included in the model.
% %
We can then treat the {\fg} as a `black box' or component in its own right. We can then treat the {\fg} as a `black box' or component in its own right.
We can now look at how the {\fg} can fail. We can now look at how the {\fg} can fail.
% %
Many of the component failure modes will Many of the component failure modes will
cause the same failure symptoms in the {\fg} failure behaviour. cause the same failure symptoms in the {\fg}.
We can collect these failures as common symptoms. We can collect these failures as common symptoms.
% %
When we have our set of symptoms, we can now create When we have our set of symptoms, we can now create
@ -875,9 +913,7 @@ modes, the collected symptoms of the {\fg}.
Because we can now have {\dcs} we can use these to form Because we can now have {\dcs} we can use these to form
new {\fg}s and we can build a hierarchical `failure~mode' model of the SYSTEM. new {\fg}s and we can build a hierarchical `failure~mode' model of the SYSTEM.
The diagram in figure \ref{fig:fmmd_hierachy}, shows one stage
of the FMMD process. The resultant {\dc} may be used to
create higher level {\fg}s in later stages.
%%- Need diagram of hierarchy %%- Need diagram of hierarchy
%%- %%-
%%- %%-
@ -889,6 +925,18 @@ create higher level {\fg}s in later stages.
\label{fig:fmmd_hierarchy} \label{fig:fmmd_hierarchy}
\end{figure} \end{figure}
A {\fg} is a set components (each with a set of of failure modes)
that collectively group together to serve some purpose (to perform some function),
and derived components are determined
from analysis and symtom collection
of the {\fg}.
The {\dc} is equipped with a new set of failure modes
corresponding to the symptoms from the {\fg}.
The diagram in figure \ref{fig:fmmd_hierarchy}, shows one stage
of the FMMD process. The resultant {\dc} may be used to
create higher level {\fg}s in later stages.
% \begin{figure}[h] % \begin{figure}[h]
% \centering % \centering
@ -916,13 +964,15 @@ This is represented in UML in figure \ref{fig:componentconcept}.
\subsection{Environmental Conditions, Operational States and FMMD} \subsection{Environmental Conditions, Operational States and FMMD}
Any real world sub-system will exist in a variable environment and may have several modes of operation. Any real world sub-system will exist in a variable environment
In order to find all possible failures, the sub-system must be analysed for each operational state and may have several modes of operation.
In order to find all possible failures, the sub-system
must be analysed for each operational state
and environment condition that can affect it. and environment condition that can affect it.
% %
Two design decisions are required here, which objects should we Two design decisions are required here: which objects should we
analyse the environment and operational states with respect to. analyse the environment and the operational states with respect to.
we have three objects in our model that these considerations could be applied to. There are three objects in our model that these considerations could be applied to.
We could apply these conditions for analysis We could apply these conditions for analysis
to the functional group, the components, or the derived to the functional group, the components, or the derived
component. component.
@ -937,10 +987,10 @@ Environmental conditions may affect different components in a {\fg}
in different ways. in different ways.
For instance a system may be specified for For instance a system may be specified for
$0\oc$ to {85\oc} operation, but some components $0\oc$ to $85\oc$ operation, but some components
may show failure behaviour between $60\oc$ and $85\oc$ may show failure behaviour between $60\oc$ and $85\oc$
\footnote{Opto-islolators typically show marked performace decrease after \footnote{Opto-islolators typically show marked performance decrease after
60oC \cite{tlp181}, whereas another common component, the resistor will be unaffected.}. 60oC \cite{tlp181}, whereas another common component, say a resistor, will be unaffected.}.
Other components may operate comfortably within that whole temperature range specified. Other components may operate comfortably within that whole temperature range specified.
Environmental conditions will have an effect on the {\fg} and the {\dc} Environmental conditions will have an effect on the {\fg} and the {\dc}
but they will have specific effects on individual components. but they will have specific effects on individual components.
@ -962,15 +1012,16 @@ normal operation, graceful degradation or lockout.
Or they could be self~checking sub-systems that are either in a normal or self~check state. Or they could be self~checking sub-systems that are either in a normal or self~check state.
Operational states are conditions that apply to a functional group, not individual components. Operational states are conditions that apply to a functional group, not individual components.
%% Andrew says that that does no make sense But I think it does
\paragraph{Design Decision.} \paragraph{Design Decision.}
Operational state will be applied to {\fg}s. Operational state will be applied to {\fg}s.
\paragraph{UML Model of FMMD Analysis} \paragraph{UML Model of FMMD Analysis}
Draw a UML model showing the components and the functional group The UML diagram in figure \ref{fig:env_op_uml}, shows the data
with the ENV and OP\_STAT classes associated with them relationships between {\fgs} and operational states, and component
failure modes and environmental factors.
\begin{figure}[h] \begin{figure}[h]
@ -1008,20 +1059,21 @@ or even in other projects where the same {\dc} is used.
\subsubsection{ It should have a formal basis, that is to say, it should be able to produce mathematical proofs \subsubsection{ It should have a formal basis, data should be available to produce mathematical proofs
for its results} for its results}
Because the failure mode of a SYSTEM is a hierarchy of {\fg}s and derived components Because the failure mode of a SYSTEM is a hierarchy of {\fg}s and derived components
SYSTEM level failure modes are traceable back down the tree to SYSTEM level failure modes are traceable back down the fault tree to
component level failure modes. This provides causation trees \cite{sccs} or, minimal cut sets component level failure modes. This provides causation trees \cite{sccs} or, minimal cut sets
\footnote{Here minimal cut sets represent combinations of component failure modes that can result in s SYSTEM level failure.}
for all SYSTEM failure modes. for all SYSTEM failure modes.
\subsubsection{ It should be capable of producing reliability and danger evaluation statistics.} \subsubsection{ It should be capable of producing reliability and danger evaluation statistics.}
The minimal cuts sets for the SYSTEM level failures can have computed MTTF The minimal cuts sets for the SYSTEM level failures can have computed MTTF
and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}. and danger evaluation statistics sourced from the component failure mode statistics \cite {mil1991}.
\subsubsection{ It should be easy to use, ideally using a graphical syntax (as oppossed to a formal mathematical one).} \subsubsection{ It should be easy to use, ideally
A modified form of constraint diagram (an extension of Euler diagrams) has been developed to support the FMMD methodology. using a graphical syntax (as oppossed to a formal mathematical one).}
A modified form of constraint diagram (an extension of Euler diagrams) has
been developed to support the FMMD methodology.
This uses Euler circles to represent failure modes, and spiders to collect symptoms, to This uses Euler circles to represent failure modes, and spiders to collect symptoms, to
advance a {\fg} to a {\dc}. advance a {\fg} to a {\dc}.
@ -1036,6 +1088,9 @@ are built from components performing a given task.
By breaking the problem of failure mode analysis into small stages By breaking the problem of failure mode analysis into small stages
and building a hierarchy, the problems associated with the cross products of and building a hierarchy, the problems associated with the cross products of
all failure modes within a system are reduced by an exponential order. all failure modes within a system are reduced by an exponential order.
This is because the mutliple failure modes are considered
within {\fgs} which have fewer failure modes to consider
at each FMMD stage.
Where appropriate multiple simultaneous failures can be modelled, by Where appropriate multiple simultaneous failures can be modelled, by
intoducing test~cases where the conjunction of failure modes is considered. intoducing test~cases where the conjunction of failure modes is considered.
@ -1107,16 +1162,22 @@ An UML diagram with inhibit conditions added is shown in figure \ref{fig:umlconc
\subsection{Advantages of FMMD Methodology} \subsection{Advantages of FMMD Methodology}
\begin{itemize} \begin{itemize}
\item It can be checked automatically that all component failure modes have been considered in the model. \item It can be checked automatically that all component failure modes have
\item Because we are modelling with failure modes the {\fgs} and {\dcs} these can be generic, i.e. mechanical, electronic or software components. been considered in the model. Should a failure mode have been missed
the data model can be searched and the unhandled failure modes flagged to the design engineer.
\item Because we are modelling with failure modes the {\fgs} and {\dcs} these can be generic,
i.e. mechanical, electronic or software components.
\item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects. \item The {\dcs} are re-usable, in that commonly used modules can be re-used in other designs/projects.
\item It will have a formal basis, that is to say, it is able to produce mathematical proofs \item It will have a formal basis, that is to say,
for its results (MTTF and the cause trees for SYSTEM level faults). we have the data at hand to produce meaningful
results (MTTF and the cause trees for SYSTEM level faults).
\item Overall reliability and danger evaluation statistics can be computed. \item Overall reliability and danger evaluation statistics can be computed.
By knowing all causation trees, By knowing all causation trees,
the statistical probabilities (from base component data) for all causes can be simply added. the statistical probabilities (from base component data) for all causes can be simply added.
\item A graphical representation based on Euler diagrams is used. Providing an interface that does not involve \item A graphical representation based on Euler diagrams is used.
formal mathematical notation. This is intended to be user friendly and to guide the user through the FMMD process This provides an interface that does not involve
formal mathematical/symbolic notation.
This is intended to be user friendly and to guide the user through the FMMD process
while applying automatic checks for unhandled conditions. while applying automatic checks for unhandled conditions.
\item From the top down the failure mode model will follow a logical de-composition of the functionality; by \item From the top down the failure mode model will follow a logical de-composition of the functionality; by
chosing {\fg}s and working bottom-up this hierarchical trait will occur as a natural consequence. chosing {\fg}s and working bottom-up this hierarchical trait will occur as a natural consequence.