robin/Robin_PHD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mums proof reading from the weekend

Browse Source
This commit is contained in:
Robin Clark 2010-09-27 20:43:01 +01:00
parent 459d924cae
commit 3e3ec9a563
9 changed files with 63 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
component_failure_modes_definition/component_failure_modes_definition.tex
View File

@ -32,11 +32,11 @@ Mathematical constraints and definitions are made using set theory.
\section{Introduction} \section{Introduction}
This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method. This chapter describes the data types and concepts for the Failure Mode Modular De-composition (FMMD) method.
When analysing a safety critical system using When analysing a safety critical system using
this technique, we need clearly defined failure modes for this methodology, we need clearly defined failure modes for
all the components that are used to model the system. all the components that are used to model the system.
In our model we have a constraint that In our model, we have a constraint that
the component failure modes must be mutually exclusive. the component failure modes must be mutually exclusive.
When this constraint is complied with we can use the FMMD method to When this constraint is complied with, we can use the FMMD method to
build hierarchical bottom-up models of failure mode behaviour. build hierarchical bottom-up models of failure mode behaviour.
%This and the definition of a component are %This and the definition of a component are
%described in this chapter. %described in this chapter.
@ -62,8 +62,8 @@ build hierarchical bottom-up models of failure mode behaviour.
\label{fig:component} \label{fig:component}
\end{figure} \end{figure}
Let us first define a component. This is anything which we use to build a Let us first define a component. This is anything with which we use to build a
product or system with. product or system.
It could be something quite complicated It could be something quite complicated
like an integrated microcontroller, or quite simple like the humble resistor. like an integrated microcontroller, or quite simple like the humble resistor.
We can define a We can define a
@ -136,7 +136,7 @@ to see how they could be caused. Some apply statistical techniques to
determine the likelihood of component failures determine the likelihood of component failures
causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse, causing specific system level errors. For example, Bayes theorem \ref{bayes}, the relation between a conditional probability and its inverse,
can be applied to specific failure modes in components and the probability of them causing given system level errors. can be applied to specific failure modes in components and the probability of them causing given system level errors.
Another top down technique is to apply cost benefit analysis Another top down methodology is to apply cost benefit analysis
to determine which faults are the highest priority to fix\cite{bfmea}. to determine which faults are the highest priority to fix\cite{bfmea}.
The aim of FMMD analysis is to produce complete failure The aim of FMMD analysis is to produce complete failure
models of safety critical systems from the bottom-up, models of safety critical systems from the bottom-up,
@ -198,8 +198,9 @@ and creates a new {\dc} from it.
%must consider all the failure modes of the components in the functional %must consider all the failure modes of the components in the functional
%group. %group.
The newly created {\dc} requires a set of failure modes of its own. The newly created {\dc} requires a set of failure modes of its own.
These failure modes are the failure mode behaviour of the {\fg} that it was derived from. These failure modes are the failure mode behaviour of the {\fg} from which it was derived.
Because these new failure modes were derived from a {\fg} we can call %
Because these new failure modes were derived from a {\fg}, we can call
these `derived~failure~modes'. these `derived~failure~modes'.
%It then creates a new derived~component object, and associates it to this new set of derived~failure~modes. %It then creates a new derived~component object, and associates it to this new set of derived~failure~modes.
We thus have a `new' component, or system building block, but with a known and traceable We thus have a `new' component, or system building block, but with a known and traceable
@ -309,8 +310,8 @@ fm : \mathcal{FG} \rightarrow \mathcal{F}
\paragraph{Design Descision/Constraint} \paragraph{Design Descision/Constraint}
An important factor in defining a set of failure modes is that they An important factor in defining a set of failure modes is that they
should be represent the failure modes as simply and minimally as possible. should represent the failure modes as simply and minimally as possible.
It should not be possible, for instance for It should not be possible, for instance, for
a component to have two or more failure modes active at once. a component to have two or more failure modes active at once.
Were this to be the case, we would have to consider additional combinations of Were this to be the case, we would have to consider additional combinations of
failure modes within the component. failure modes within the component.
@ -348,7 +349,7 @@ An example of a component with an obvious set of ``unitary~state'' failure mode
Electrical resistors can fail by going OPEN or SHORTED. Electrical resistors can fail by going OPEN or SHORTED.
For a given resistor R we can apply the For a given resistor R we can apply the
the function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $. function $fm$ to find its set of failure modes thus $ fm(R) = \{R_{SHORTED}, R_{OPEN}\} $.
A resistor cannot fail with both conditions open and short active at the same time! The conditions A resistor cannot fail with both conditions open and short active at the same time! The conditions
OPEN and SHORT are thus mutually exclusive. OPEN and SHORT are thus mutually exclusive.
Because of this, the failure mode set $F=fm(R)$ is `unitary~state'. Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
@ -356,13 +357,13 @@ Because of this, the failure mode set $F=fm(R)$ is `unitary~state'.
Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist. Thus because both fault modes cannot be active at the same time, the intersection of $ R_{SHORTED} $ and $ R_{OPEN} $ cannot exist.
The intersection of these is therefore the empty set, $$ R_{SHORTED} \cap R_{OPEN} = \emptyset $$, The intersection of these is therefore the empty set, $ R_{SHORTED} \cap R_{OPEN} = \emptyset $,
therefore therefore
$ fm(R) \in \mathcal{U} $. $ fm(R) \in \mathcal{U} $.
We can make this a general case by taking a set $F$ (where $f_1, f_2 \in F$) representing a collection We can make this a general case by taking a set $F$ (with $f_1, f_2 \in F$) representing a collection
of component failure modes. of component failure modes.
We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns We can define a boolean function {\ensuremath{\mathcal{ACTIVE}}} that returns
whether a fault mode is active (true) or dormant (false). whether a fault mode is active (true) or dormant (false).
@ -394,7 +395,7 @@ All components must have unitary state failure modes to be used with the FMMD me
Where a complex component is used, for instance a microcontroller Where a complex component is used, for instance a microcontroller
with several modules that could all fail simultaneously, a process with several modules that could all fail simultaneously, a process
of reduction into smaller theoretical components will have to be made of reduction into smaller theoretical components will have to be made
\footnote{A modern microcontroller will typically have several modules, which are configurged to operate on \footnote{A modern microcontroller will typically have several modules, which are configured to operate on
pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs, pre-assigned pins on the device. Typically voltage inputs (\adcten / \adctw), digital input and outputs,
PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers \cite{pic18f2523}}. PWM (pulse width modulation), UARTs and other modules will be found on simple cheap microcontrollers \cite{pic18f2523}}.
For instance the voltage reading functions which consist For instance the voltage reading functions which consist

4
eulerg/eulerg.tex
View File

@ -164,7 +164,7 @@ As the relationships {\em enclosure} and {\em pair-wise intersection} are mutual
and {\em enclosure} is transitive and {\em pair-wise intersection} is not, we can represent and {\em enclosure} is transitive and {\em pair-wise intersection} is not, we can represent
an {\em enclosure} relationship as a directed vertice and an {\em enclosure} relationship as a directed vertice and
{\pic} as non-directed on the same graph. {\pic} as non-directed on the same graph.
Figures \ref{fig:eulerg1} and \ref{fig:eulerg_enc} show euler diagrams with corresponding Figures \ref{fig:eulerg1} and \ref{fig:eulerg_enc} show Euler diagrams with corresponding
graphs. The next section will introduce the concept of a {\pic} graphs. The next section will introduce the concept of a {\pic}
and will present graphs where both enclosure and pair-wise and will present graphs where both enclosure and pair-wise
intersection are represented on the same graph. intersection are represented on the same graph.
@ -310,7 +310,7 @@ that are not, or would not become members of the {\pic} $P$.
\end{definition} \end{definition}
That is to say, the the number of zones within a {\pic} is not affected by changes in the diagram That is to say, the the number of zones within a {\pic} is not affected by changes in the diagram
that do not alter the {\pic}. that do not alter the {\pic}.
This allows us to analyses {\pic}s separately, thus reducing the $2^N$ overhead of analysing an Euler diagram for available zones. This allows us to analyse {\pic}s separately, thus reducing the $2^N$ overhead of analysing an Euler diagram for available zones.
\pagebreak[3] \pagebreak[3]
\subsection{Available Zone Searching} \subsection{Available Zone Searching}

34
fmmd_concept/fmmd_concept.tex
View File

@ -28,7 +28,7 @@ The Failure Mode Modular De-composition
(FMMD) methodology presented here provides a more detailed and analytical (FMMD) methodology presented here provides a more detailed and analytical
modelling system from which modelling system from which
the data models from FTA, FMEA and the statistical approach can be the data models from FTA, FMEA and the statistical approach can be
derived from. derived.
It also applies analysis stages to the failure mode analysis process It also applies analysis stages to the failure mode analysis process
ensuring that all component failure modes must be considered in the model. ensuring that all component failure modes must be considered in the model.
@ -40,7 +40,7 @@ paper
{ {
chapter chapter
} }
presents a bottom up modular technique, a variant of FMEA, where instead of looking presents a bottom up modular methodology, a extension and refinement of FMEA, where instead of looking
at individual component failure modes and deciding on their impact on the SYSTEM at individual component failure modes and deciding on their impact on the SYSTEM
it uses the component failure modes, to build modules or derived components. it uses the component failure modes, to build modules or derived components.
This methodology has been named Failure Mode Modular De-composition (FMMD) This methodology has been named Failure Mode Modular De-composition (FMMD)
@ -77,8 +77,8 @@ This places a burden of taking individual component failure modes
and trying to determine what affects this will have at SYSTEM level. and trying to determine what affects this will have at SYSTEM level.
Justifications for this methodology are often statistical and Bayes Theorem \cite{probstat} Justifications for this methodology are often statistical and Bayes Theorem \cite{probstat}
is often cited. is often cited.
This lacks precision, or in order words, determinability prediction accuracy, This lacks precision, or in other words, determinability prediction accuracy,
as often the compoinent failure mode cannt be proven to cause a SYSTEM level failure, only to make it more likely. as often the component failure mode cannt be proven to cause a SYSTEM level failure, only to make it more likely.
Also, it can miss combinations of failure modes that will cause SYSTEM level errors. Also, it can miss combinations of failure modes that will cause SYSTEM level errors.
\subsection { Statistical Analyis } \subsection { Statistical Analyis }
@ -86,16 +86,16 @@ Also, it can miss combinations of failure modes that will cause SYSTEM level err
This uses MTFF and other statisical models to determine the probability of This uses MTFF and other statisical models to determine the probability of
failures occurring. A component failure mode, given its MTTF failures occurring. A component failure mode, given its MTTF
the probability oif detecting the fault and its safety safety relevant validation time $\tau$, the probability of detecting the fault and its safety relevant validation time $\tau$,
contributes a simple risk factor that is summed contributes a simple risk factor that is summed
in to give a final risk result. Thus a statistical in to give a final risk result. Thus a statistical
model can be implemented on a spreadsheet, where each component model can be implemented on a spreadsheet, where each component
has a calculated risk, and estimated risk importance has a calculated risk, and estimated risk importance
and these are all summed to give the final asssement figure. and these are all summed to give the final assement figure.
The Statistical Analysis method is used from two perspectives, The Statistical Analysis method is used from two perspectives,
Probability of Failure on Demand (PFD), and Probability of Failure Probability of Failure on Demand (PFD), and Probability of Failure
in contiuous Operation, Failure in Time (FIT) and measured in failures per billion ($10^9$) hours of operation. in continuous Operation, Failure in Time (FIT) and measured in failures per billion ($10^9$) hours of operation.
For instance with the anti-lock system on a automobile braking For instance with the anti-lock system on a automobile braking
system, we would be interested in PFD. system, we would be interested in PFD.
For a continuously running nuclear powerstation For a continuously running nuclear powerstation
@ -106,7 +106,7 @@ lack of determinability prediction accuracy, as FMEA above.
By this we may have the MTTF of some critical component failure By this we may have the MTTF of some critical component failure
modes, but we can only guess, in most cases what the safety case outcome modes, but we can only guess, in most cases what the safety case outcome
will be if it occurrs. will be if it occurs.
This leads to having components within a SYSTEM partitioned into different This leads to having components within a SYSTEM partitioned into different
safety level zones \cite{en61508}. This is a vague way of determining safety level zones \cite{en61508}. This is a vague way of determining
@ -123,7 +123,7 @@ of the Safety Integrity Levels (SIL) of EN61508 \cite{en61508}.
\item All component failure modes must be considered in the model. \item All component failure modes must be considered in the model.
\item It should be easy to integrate mechanical, electronic and software models. \item It should be easy to integrate mechanical, electronic and software models.
\item It should be re-usable, in that commonly used modules can be re-used in other designs/projects. \item It should be re-usable, in that commonly used modules can be re-used in other designs/projects.
\item It should have a formal babsis, that is to say it should be able to produce mathematical proofs \item It should have a formal basis, that is to say, it should be able to produce mathematical proofs
for its results. for its results.
\item It should be capable of producing reliability and danger evaluation statistics. \item It should be capable of producing reliability and danger evaluation statistics.
\item It should be easy to use. \item It should be easy to use.
@ -150,11 +150,11 @@ An industrial burner is a nice example of a safety critical system.
It has some lethal risks and some environmental. It has some lethal risks and some environmental.
It could, by igniting an explosive mixture, cause an explosion. It could, by igniting an explosive mixture, cause an explosion.
By burning incorrect proportions of fuel and air, it could be ineffecient and waste By burning incorrect proportions of fuel and air, it could be ineffecient and waste
resources, or worse could cause poisinous burning (typically carbon monoxide, but also resources, or worse could cause poisonous burning (typically carbon monoxide, but also
where flame temperature is very high, can produce NOX emmissions) where flame temperature is very high, can produce NOX emmissions).
To prevent igniting an explosive mixture, air is pumped though the furnace To prevent igniting an explosive mixture, air is pumped though the furnace
chanber on start-up, and this is verified with an air pressure switch. chamber on start-up, and this is verified with an air pressure switch.
NEED A DIAGRAM HERE NEED A DIAGRAM HERE
@ -177,7 +177,7 @@ The flame scanner is thus a two resistor voltage divider.
\subsection{The Flame Scanner} \subsection{The Flame Scanner}
\subsubsection{Macro FTA perspective} \subsubsection{Macro FTA perspective}
SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISINOUS BURNING CO, POISINOUS BURNING NOX, FAILS TO LIGHT etc SHOW ALL TOP LEVEL FAULTS. EXPLOSION, POISONOUS BURNING CO, POISONOUS BURNING NOX, FAILS TO LIGHT etc
Follow the explosion tree down to flame scanner fails ON, and OFF Follow the explosion tree down to flame scanner fails ON, and OFF
@ -188,12 +188,12 @@ Each of the resistors is considered critical, in the statistical case, and so th
is added inot the DANGEROUS section. is added inot the DANGEROUS section.
For FMEA the resistor failures add up to the SYSTEM level, show this is inappropriate For FMEA the resistor failures add up to the SYSTEM level, show this is inappropriate
and makes several jumps in applied knowledge, thus bayes theorem etc and makes several jumps in applied knowledge, thus Bayes theorem etc
\subsubsection{Micro FMMD perspective} \subsubsection{Micro FMMD perspective}
Here show how the flame scanner becomes a black box, or component in itsself. Here show how the flame scanner becomes a black box, or component in itself.
How it is now available to be integrated into higher level designs. How it is now available to be integrated into higher level designs.
%and then an ignition position is checked. %and then an ignition position is checked.
@ -217,8 +217,8 @@ air pressure sensor
\section{Base Level Components} \section{Base Level Components}
A common factor with all safety critical systems, is A common factor with all safety critical systems, is
the bought in components. Be these base level -or- bought in components. Be these
electrical, mechanical or firmware, they all electrical, mechanical or firmware, they should all
have known failure modes. have known failure modes.
\subsection { Failure modes defining the component} \subsection { Failure modes defining the component}

15
fmmdset/fmmdset.tex
View File

@ -7,7 +7,7 @@
\begin{abstract} \begin{abstract}
This paper describes a process for analysing safety critical systems, to formally prove how safe the This paper describes a process for analysing safety critical systems, to formally prove how safe the
designs and built -in safety measures are. It provides designs and built -in safety measures are. It provides
the rigourous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes. the rigorous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
Using symptom extraction, and taking {\fgs} of components, a fault behaviour Using symptom extraction, and taking {\fgs} of components, a fault behaviour
hierarchy is built, forming a fault model tree. hierarchy is built, forming a fault model tree.
From the fault model trees, From the fault model trees,
@ -21,7 +21,7 @@ EN298, EN61508, EN12067, EN230, UL1998.
{ {
This chapter describes a process for analysing safety critical systems, to formally prove how safe the This chapter describes a process for analysing safety critical systems, to formally prove how safe the
designs and built -in safety measures are. It provides designs and built -in safety measures are. It provides
the rigourous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes. the rigorous method for creating a fault effects model of a system from the bottom up using {\bc} level fault modes.
Using symptom extraction, and taking {\fgs} of components, a fault behaviour Using symptom extraction, and taking {\fgs} of components, a fault behaviour
hierarchy is built, forming a fault model tree. hierarchy is built, forming a fault model tree.
From the fault model trees, From the fault model trees,
@ -41,8 +41,7 @@ EN298, EN61508, EN12067, EN230, UL1998.
The purpose of the FMMD methodology is to apply formal techniques to The purpose of the FMMD methodology is to apply formal techniques to
the assessment of safety critical designs, aiding in identifying detected and undetected faults the assessment of safety critical designs, aiding in identifying detected and undetected faults
\footnote{Undetectable faults \footnote{Undetectable faults are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
are faults which may occur but are not self~detected, or are impossible to detect by the system.}.
Formal methods are just beginning to be specified in some safety standards.\footnote{Formal methods Formal methods are just beginning to be specified in some safety standards.\footnote{Formal methods
such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but such as the Z notation appear as `highly recommended' techniques in the EN61508 standard\cite{en61508}, but
apply only to software currently.} However, some standards are now implying the handling of apply only to software currently.} However, some standards are now implying the handling of
@ -73,7 +72,7 @@ The statistical method
requires additional Mean Time To Failure (MTTF) data for all part failure modes. requires additional Mean Time To Failure (MTTF) data for all part failure modes.
The FMMD methodology applies defined stages and processes that will The FMMD methodology applies defined stages and processes that will
create a modular fault mode hierarchy. From this create a modular fault mode hierarchy. From this,
complete fault analysis trees can be determined. It uses a modular approach, so that repeated sections complete fault analysis trees can be determined. It uses a modular approach, so that repeated sections
of system design can be modelled once, and re-used. of system design can be modelled once, and re-used.
%formally prove safety critical %formally prove safety critical
@ -107,7 +106,7 @@ components that interact and naturally form {\fgs}. The initial {\fgs} are thus
From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail. From the point of view of fault analysis, we are not interested in the components themselves, but in the ways in which they can fail.
For this study a {\fg} will mean a collection of components. For this study a {\fg} will mean a collection of components.
In order to determine the symptoms or failure modes of a {\fg} In order to determine the symptoms or failure modes of a {\fg},
we need to consider all failure modes of its components. we need to consider all failure modes of its components.
By analysing the fault behaviour of a `{\fg}' with respect these failure modes By analysing the fault behaviour of a `{\fg}' with respect these failure modes
we can derive a new set of possible failure modes. we can derive a new set of possible failure modes.
@ -294,7 +293,7 @@ In FTA\cite{nucfta}\cite{nasafta} terminology, these paths through the tree are
A hierarchy of levels of faults becoming more abstract at each level should A hierarchy of levels of faults becoming more abstract at each level should
converge to a small sub-set of system level errors. converge to a small sub-set of system level errors.
This thinning out of the number of system level errors is borne out in practise; This thinning out of the number of system level errors is borne out in practice;
real time control systems often have a small number of major reportable faults (typically $ < 50$), real time control systems often have a small number of major reportable faults (typically $ < 50$),
even though they may have accompanying diagnostic data. even though they may have accompanying diagnostic data.
@ -541,7 +540,7 @@ simply be given a different index number and re-used.
It is common in safety critical systems to use redundancy. It is common in safety critical systems to use redundancy.
Two or sometimes three control systems will be assigned to the same process. Two or sometimes three control systems will be assigned to the same process.
An arbittration system, the arbiter, will decide which channel may control An arbitration system, the arbiter, will decide which channel may control
the equipment. the equipment.
Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy. Where a system has several independent parallel control channels, each one can be a separate FMMD hierarchy.

8
symptom_ex_process/algorithm.tex
View File

@ -290,7 +290,7 @@ the test case failure modes will cause.
In the case of a simple In the case of a simple
electronic circuit, we could calculate the effect on voltages electronic circuit, we could calculate the effect on voltages
within the circuit given certain component failure modes, for instance. within the circuit given certain component failure modes, for instance.
The affect of these unusual volatges would then be a failure The affect of these unusual voltages would then be a failure
mode of the functional group and become the result of the test case. mode of the functional group and become the result of the test case.
When each test case has been analysed, we have a set of When each test case has been analysed, we have a set of
results. These are the failure modes of the functional group. results. These are the failure modes of the functional group.
@ -460,7 +460,7 @@ $$ \bowtie: \mathcal{FG} \rightarrow \mathcal{DC} $$
\end{algorithmic} \end{algorithmic}
\end{algorithm} \end{algorithm}
The symptom abstraction technique allows us to take a functional group of components, The symptom abstraction methodology allows us to take a functional group of components,
analyse the failure analyse the failure
mode behaviour and create a new entity, a derived~component, that has its own set of failure modes. mode behaviour and create a new entity, a derived~component, that has its own set of failure modes.
The checks and constraints applied in the algorithm ensure that all component failure The checks and constraints applied in the algorithm ensure that all component failure
@ -475,7 +475,7 @@ as the hierarchy progresses upwards.
%This is seen by casual observation of real life Systems. NEED A GOOD REF HERE %This is seen by casual observation of real life Systems. NEED A GOOD REF HERE
At the highest levels the number of faults At the highest levels the number of faults
is significantly less than the sum of its component failure modes. is significantly less than the sum of its component failure modes.
A Sound system might have, for instance only four faults at its highest or System level, A sound system might have, for instance only four faults at its highest or system level,
\small \small
$$ SoundSystemFaults = \{TUNER\_FAULT, CD\_FAULT, SOUND\_OUT\_FAULT, IPOD\_FAULT\}$$ $$ SoundSystemFaults = \{TUNER\_FAULT, CD\_FAULT, SOUND\_OUT\_FAULT, IPOD\_FAULT\}$$
\normalsize \normalsize
@ -483,7 +483,7 @@ The number of causes for any of these faults is very large.
It does not matter to the user, which combination of component failure~modes caused the fault. It does not matter to the user, which combination of component failure~modes caused the fault.
But as the hierarchy goes up in abstraction level, the number of faults goes down. But as the hierarchy goes up in abstraction level, the number of faults goes down.
\subsection{Tracable Fault Modes} \subsection{Traceable Fault Modes}
Because the fault modes are determined from the bottom-up, the causes Because the fault modes are determined from the bottom-up, the causes
for all high level faults naturally form trees. for all high level faults naturally form trees.

2
symptom_ex_process/introduction.tex
View File

@ -7,7 +7,7 @@ and then determining how that {\fg} can fail.
% %
With this information, we can treat the {\fg} With this information, we can treat the {\fg}
as a component in its own right. as a component in its own right.
This new component, is a derived from the {\fg}. This new component, is derived from the {\fg}.
In the field of safety engineering this derived component corresponds to a low~level sub-system. In the field of safety engineering this derived component corresponds to a low~level sub-system.
%The technique uses a graphical notation, based on Euler\cite{eulerviz} and Constraint diagrams\cite{constraint} to model failure modes and failure mode common symptom collection. The technique is designed for making building blocks for a hierarchical fault model. %The technique uses a graphical notation, based on Euler\cite{eulerviz} and Constraint diagrams\cite{constraint} to model failure modes and failure mode common symptom collection. The technique is designed for making building blocks for a hierarchical fault model.
% %

8
symptom_ex_process/process.tex
View File

@ -191,13 +191,13 @@ $c\_2$ & $fs\_7$ & $g_{7}$ & SP2\\ \hline
Table~\ref{tab:fexsymptoms} shows the analysis process. Table~\ref{tab:fexsymptoms} shows the analysis process.
As we are only looking at single fault possibilities for this example each test case As we are only looking at single fault possibilities for this example each test case
is represented by one failure mode. is represented by one failure mode.
Chosen combinations of Component failure modes become test cases\footnote{The test case stage is necessary because for more complex analysis we have to consider the effects of combinations of component failure modes}. Chosen combinations of component failure modes become test cases\footnote{The test case stage is necessary because for more complex analysis we have to consider the effects of combinations of component failure modes.}.
The test cases are analysed w.r.t. the functional~group. The test cases are analysed w.r.t. the functional~group.
These become functional~group~failure~modes ($g$'s). These become functional~group~failure~modes ($g$'s).
The functional~group~failure~modes are how the functional group fails for the test~case, rather than how the components failed. The functional~group~failure~modes are how the functional group fails for the test~case, rather than how the components failed.
For the sake of example, let us consider the fault symptoms of the {\fg} $FG$ to be $\{g_2, g_4, g_5\}$ For the sake of example, let us consider the fault symptoms of the {\fg} $FG$ to be $\{g_2, g_4, g_5\}$
As failure modes, these As failure modes, these are
identical from the perspective of the functional~group. identical from the perspective of the functional~group.
That is to say, the way in which functional~group fails if $g_2$, $g_4$ or $g_5$ % failure modes That is to say, the way in which functional~group fails if $g_2$, $g_4$ or $g_5$ % failure modes
occur, is going to be the same. occur, is going to be the same.
@ -234,7 +234,7 @@ We can thus apply the function $fm$ on this newly derived component thus:
$$ fm(DC) = \{ SP1, SP2, SP3 \} $$ $$ fm(DC) = \{ SP1, SP2, SP3 \} $$
Note that $g_6$ has \textbf{not dissappeared from the analysis process}. Note that $g_6$ has \textbf{not disappeared from the analysis process}.
Were the designer to have overlooked this test case, it would appear as a failure mode of the derived component. Were the designer to have overlooked this test case, it would appear as a failure mode of the derived component.
i.e. were it not to have been grouped in $SP3$, $ fm(DC)$ would have been $ \{ SP1, SP2, g_6 \}$. i.e. were it not to have been grouped in $SP3$, $ fm(DC)$ would have been $ \{ SP1, SP2, g_6 \}$.
Because the process can be computerised, we can easily flag symptoms that have not been Because the process can be computerised, we can easily flag symptoms that have not been
@ -253,7 +253,7 @@ from base level components cannot be overlooked.
The process must not allow failure modes to be ignored or forgotten (see project aims in section \ref{requirements}). The process must not allow failure modes to be ignored or forgotten (see project aims in section \ref{requirements}).
} }
% %
The newly derived component $DC$ is availble for use to form higher level functional groups, and we can thus The newly derived component $DC$ is available for use to form higher level functional groups, and we can thus
consider DC as being in the set of components i.e. $DC \in \mathcal{C}$ consider DC as being in the set of components i.e. $DC \in \mathcal{C}$
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

6
symptom_ex_process/sys_abs.tex
View File

@ -1,3 +1,9 @@
%%
%%
%% OBSOLETE DO NOT EDIT
%%
%%
%%
\section{The Symptom Extraction Process} \section{The Symptom Extraction Process}
% TO DO: separate these two: % TO DO: separate these two:

14
symptom_ex_process/topbot.tex
View File

@ -3,20 +3,20 @@
\subsection{Static Analysis} \subsection{Static Analysis}
In the field of safety critical engineering; to comply with In the field of safety critical engineering, to comply with
European Law a product must be certified under the appropriate `EN' standard. European Law, a product must be certified under the appropriate `EN' standard.
Typically environmental stress, EMC, electrical stressing, endurance tests, Typically environmental stress, EMC, electrical stressing, endurance tests,
software~inspections and project~management quality reviews are applied \cite{sccs}. software~inspections and project~management quality reviews are applied \cite{sccs}.
Static testing is also applied. This is theoretical analysis of the design of the product from the safety Static testing is also applied. This is theoretical analysis of the design of the product from the safety
perspective. perspective.
Three main techniques are currently used, Three main methodologies are currently used,
Statistical failure models, FMEA (Failure mode Effects Analysis) and FTA (Fault Tree Analysis). Statistical failure models, FMEA (Failure mode Effects Analysis) and FTA (Fault Tree Analysis).
The FMMD technique is a static modelling methodology, aimed primarily as design verification for The FMMD process is a static modelling methodology, aimed primarily as design verification for
safety critical systems. safety critical systems.
However, FMMD also provides the mathematical framework However, FMMD also provides the mathematical framework
to assist in the production of the three traditional methods of static analysis. to assist in the production of the three traditional methods of static analysis.
From the model created by the FMMD technique, statistical, FTA and FMEA models From the model created by the FMMD methodology, statistical, FTA and FMEA models
can be derived. can be derived.
FMMD can model electrical, mechanical and software using a common notation, FMMD can model electrical, mechanical and software using a common notation,
and can thus model an entire electro mechanical software controlled system. and can thus model an entire electro mechanical software controlled system.
@ -60,7 +60,7 @@ Top down formal fault isolation/finding techniques for electronics are described
%% this study needs to use this term to keep the interested/in context. %% this study needs to use this term to keep the interested/in context.
The term `sub-system' is typically used in top down methodologies. The term `sub-system' is typically used in top down methodologies.
It has two equivalents in FMMD. It has two equivalents in FMMD.
Both {\fg} and {\dc} correspond to the top doiwn concept of a `sub-system'. Both {\fg} and {\dc} correspond to the top down concept of a `sub-system'.
In FMMD a {\fg} becomes a {\dc} after analysis. In FMMD a {\fg} becomes a {\dc} after analysis.
The term sub-system will be used alongside both {\fg} and {\dc} where necessary. The term sub-system will be used alongside both {\fg} and {\dc} where necessary.
@ -73,7 +73,7 @@ Systems, the sub-systems themselves may be broken down into simpler sub-systems.
A top down hierarchy is shown in figure \ref{fig:tdh}. A top down hierarchy is shown in figure \ref{fig:tdh}.
\subsection{FMMD - Bottom~up Analysis} \subsection{FMMD - Bottom~up Analysis}
The FMMD technique does not follow the `natural fault finding' or top down approach, The FMMD methodology does not follow the `natural fault finding' or top down approach,
it instead works from the bottom up. it instead works from the bottom up.
Starting with a collection of base~components that form Starting with a collection of base~components that form
a simple functional group, the effect of all component error modes are a simple functional group, the effect of all component error modes are